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Abstract 


In  most  computer  systems,  users’  access  to  resources  is  controlled  using  authorization  poli¬ 
cies.  Logic  is  an  appropriate  medium  for  representing,  understanding,  and  enforcing  autho¬ 
rization  policies,  yet  despite  several  years  of  pragmatic  work  on  the  subject,  the  foundations 
of  relevant  logics  remain  unexplored  and  poorly  understood.  It  is  in  this  realm  that  the 
work  of  this  thesis  lies;  the  thesis  explores  the  theory  of  logics  for  expressing  authorization 
policies  as  well  as  applications  of  the  theory  in  practice.  In  doing  so,  it  makes  three  foun¬ 
dational  and  technically  challenging  contributions. 

First,  the  thesis  introduces  proof  theory  and  metatheory  in  the  context  of  authorization 
logics,  illustrated  through  a  new  logic  BL.  In  particular,  structural  proof-theoretic  systems 
of  natural  deduction  and  sequent  calculus  are  investigated  and  their  importance  explained. 
Pragmatic  problems  like  proof  verification  and  automatic  proof  search  are  then  addressed 
using  the  sound  foundations  of  proof  theory. 

Second,  the  thesis  considers  a  logical  treatment  of  dynamism  in  authorization  policies 
and,  in  particular,  logical  constructs  for  representing  authorizations  depending  on  system 
state,  consumable  credentials,  and  explicit  time  are  presented.  Further,  a  practical,  effi¬ 
cient,  and  provably  correct  mechanism  for  their  enforcement  is  developed.  The  mechanism 
is  based  on  a  combination  of  proofs  and  cryptographic  capabilities. 

Third,  the  practical  usefulness  of  the  proof  theory  and  the  enforcement  mechanism  is 
demonstrated  through  an  implementation  of  the  same  in  a  file  system,  PCFS.  It  is  shown 
through  measurements  that  file  access  in  PCFS  is  very  efficient. 

In  addition,  the  thesis  includes  a  detailed  case  study  that  formalizes  in  BL  policies  used 
to  control  access  to  classified  information  in  the  U.S.,  and  explains  how  the  policies  may  be 
enforced  using  PCFS. 
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Chapter  1 

Background  and  Motivation 


1.1  Background:  The  Problem  of  Access  Control 

Both  for  the  purpose  of  security  and  as  good  programming  practice,  the  access  that  princi¬ 
pals  (users,  programs,  etc.)  have  to  resources  is  often  restricted.  This  practice,  generically 
called  access  control,  is  pervasive;  its  use  ranges  from  low  level  memory  subsystems  where 
programs  are  limited  to  reading  and  writing  their  own  memory  pages  to  applications  like 
web  servers  where  web  documents  are  protected  from  unauthorized  users.  Despite  differ¬ 
ences  in  both  the  resources  protected  and  principals  from  whom  they  are  protected,  the 
high  level  architecture  of  most  access  control  mechanisms  is  similar  -  all  calls  that  access  a 
protected  resource  pass  through  a  subsystem  called  the  reference  monitor ,  which,  based  on 
the  identity  of  the  principal  making  the  call,  the  resource  being  accessed,  and  the  nature 
of  the  call  (read,  write,  create,  etc.),  either  allows  the  call  to  proceed  or  blocks  it.  The 
process  by  which  the  reference  monitor  identifies  the  principal  making  the  call  is  called 
authentication ,  whereas  the  process  of  deciding  whether  to  allow  access  or  not  is  called 
authorization.  Authentication,  although  very  important,  is  a  well-studied  problem  with 
solutions  that  work  in  almost  any  setting.  For  example,  one  may  use  passwords  or  secret 
keys  for  authentication.  This  thesis  focuses  on  the  other  problem  -  authorization.  We  use 
the  term  “authorization  policy”  or  policy  to  refer  to  rules  on  which  authorization  decisions 
are  based. 

Authorization.  A  significant  question  in  the  design  of  an  access  control  subsystem  is 
how  the  reference  monitor  decides  which  requests  to  authorize  and  which  to  deny.  One 
possibility,  which  is  unfortunately  often  used,  is  to  encode  this  information  in  the  program 
of  the  reference  monitor,  making  no  separation  between  the  code  and  the  authorization 
policy.  This  approach  is  non-modular  and  requires  that  code  be  changed  every  time  the 
policy  changes.  The  other  possibility  is  to  make  the  policy  an  input  to  the  code,  perhaps 
to  be  read  from  a  configuration  file.  Separating  code  from  policy  makes  the  access  control 
subsystem  both  more  robust  and  modular.  In  particular,  changes  to  the  policy,  including 
the  special  case  of  fixing  errors  in  it,  do  not  require  changes  to  code.  Further,  the  code  and 
the  policy  can  be  analyzed  separately  for  correctness. 
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Access  control  lists  and  their  problems.  Given  that  policy  and  code  should  be  sep¬ 
arated,  the  next  important  question  is  how  the  policy  may  be  represented,  and  how  conse¬ 
quences  may  be  drawn  from  it.  A  common  solution  to  this  problem  is  to  model  the  policy 
as  a  table  that  for  every  principal  k,  resource  r,  and  operation  o  tells  whether  principal  k 
may  perform  operation  o  on  resource  r  or  not  [89].  This  model  of  the  access  control  policy 
is  called  an  access  control  matrix.  An  access  control  matrix  is  often  represented  by  stor¬ 
ing  its  entries  with  the  respective  resources  to  which  they  apply.  The  entries  stored  with 
each  resource  are  called  an  access  control  list  (ACL).  Although  access  control  lists  are  both 
simple  to  implement  and  very  widely  used  in  practice,  they  are  low  level  representations  of 
the  policy  and  suffer  from  the  drawback  that  they  do  not  carry  information  about  why  a 
certain  access  is  allowed  or  denied.  As  a  result,  in  scenarios  where  accountability  of  access 
is  a  concern  (e.g.,  we  would  like  to  know  why  an  individual  was  able  to  read  a  file,  not 
merely  that  she  was  able  to),  additional  mechanisms  must  be  provided  to  record  and  track 
reasons  for  entries  in  access  control  lists.  Among  other  applications,  such  accountability  is 
important  in  military  and  intelligence  servers  with  classified  information,  for  businesses  that 
have  proprietary  data  to  protect,  and  in  matters  of  customer  privacy.  The  second  problem 
with  access  control  lists  is  that  it  is  difficult  to  keep  them  up  to  date  with  changing  access 
requirements,  and  this  often  results  in  policy  errors  and  inadvertent  accesses.  We  illustrate 
the  limitations  of  access  control  lists  in  the  following  example. 

Example  1.1.  Consider  a  hypothetical  scenario  where  Alice  is  an  employee  of  the  company 
AuthCo,  and  within  the  company  works  for  the  team  GovTeam,  which  handles  contracts 
from  the  government.  As  a  member  of  the  team  Alice  has  access  to  a  government  dataset  d. 
Owing  to  the  sensitive  nature  of  the  dataset,  this  access  is  contingent  upon  her  maintaining 
a  government  security  clearance. 

Suppose  that  the  access  control  policy  for  the  dataset  d  is  represented  using  ACLs.  While 
Alice  has  access,  her  name  would  be  on  the  ACL  of  d.  Observe,  however,  that  the  access 
control  list  does  not  provide  any  evidence  as  to  why  Alice  has  this  access  (it  does  not  record 
her  affiliation  with  GovTeam,  nor  her  security  clearance).  As  a  result  if  an  internal  auditor 
were  to  try  to  determine  whether  it  is  legitimate  to  have  Alice’s  name  on  the  ACL  or  not, 
he  would  have  to  consult  many  other  sources.  Further,  if  Alice  were  to  lose  her  government 
security  clearance,  some  administrator  would  have  to  manually  observe  this  change  and  go 
ahead  and  remove  her  name  from  the  ACL.  If  for  any  reason  the  administrator  failed  to 
take  notice,  Alice  would  continue  to  have  access  when  she  should  not,  resulting  in  a  security 
breach. 

Rule-based  representation.  The  problems  with  ACLs,  as  illustrated  by  Example  1.1, 
can  be  eliminated  using  a  rule-based  representation  of  policies.  Intuitively,  in  such  a  repre¬ 
sentation  the  policy  is  represented  as  a  set  of  if-then  rules,  and  access  is  allowed  only  if  it 
is  entailed  by  the  rules.  As  an  illustration,  the  policy  in  Example  1.1  may  be  expressed  by 
the  following  rules. 

1.  For  any  principal  k,  if  k  works  for  GovTeam  and  k  has  a  government  security  clearance 
then  k  can  read  dataset  d. 


2 


Chapter  1.  Background  and  Motivation 


2.  Alice  works  for  GovTeam. 

3.  Alice  has  a  government  security  clearance. 

The  main  advantage  of  representing  the  policy  as  rules  is  that  the  reason  for  access  becomes 
explicit.  Here  for  instance,  were  an  audit  to  be  performed,  it  would  be  clear  that  Alice 
has  access  because  she  works  for  GovTeam  and  also  has  a  government  security  clearance. 
Further,  when  Alice  wants  to  read  d,  the  reference  monitor  (or,  as  we  shall  see  later,  Alice) 
must  infer  that  these  three  rules  entail  that  Alice  may  do  so,  and  this  inference  can  be 
logged  as  evidence  that  explains  why  Alice  obtained  access.  This  increases  accountability 
and  improves  assurance  in  the  access  control  subsystem.  The  second  advantage  of  using 
rules  is  that  such  a  representation  can  be  implemented  to  propagate  the  policy  change 
automatically  with  conditions.  (This  is  explained  in  §1.2.2.)  For  example,  if  Alice  were  to 
lose  her  government  security  clearance,  there  would  no  longer  be  any  inference  to  authorize 
Alice’s  read  request,  and  hence  she  would  no  longer  be  able  to  read  d. 

The  role  of  formal  logic.  The  next  relevant  issue  is  determining  a  formal  language  that 
may  be  used  to  represent  policy  rules  and  determine  their  consequences.  While  there  are 
many  different  kinds  of  existing  formal  languages  for  representing  policy  rules,  this  thesis 
rests  on  the  idea  that  logic  may  be  used  to  represent  policy  rules  and  to  enforce  them 
(see  §3.7  for  a  description  of  some  other  formalisms).  This  is  an  observation  that  goes  back 
to  Lampson  and  others  [88].  As  an  example,  the  policy  rules  (l)-(3)  may  be  represented  by 
the  three  formulas  below,  assuming  that  the  predicate  worksFor(fc,  GovTeam)  means  that 
k  works  for  GovTeam,  hasClearance(fc)  means  that  k  has  government  security  clearance, 
and  may(&:,  d,  read)  means  that  k  is  allowed  to  read  dataset  d. 

1’.  \/k.  ((worksFor(fc,  GovTeam)  A  hasClearance(fc))  D  may(/c,  d,  read)) 

2’.  worksFor(Alice,  GovTeam) 

3’.  hasClearance(Alice) 

The  reader  may  check  that  in  either  classical  or  intuitionistic  logic,  (1  ’)— (3’)  entail  the 
formula  may(Alice,  d,  read).  This  idea  of  using  logic  to  represent  policy  rules  and  to  find 
their  consequences  is  the  starting  point  for  this  thesis,  and  hence  extremely  important  from 
our  perspective.  The  following  are  some  reasons  to  show  that  the  use  of  logic  for  these 
purposes  is  not  a  mere  convenience,  but,  in  fact,  very  natural  and  pragmatic. 

-  Once  represented  in  logic,  the  consequences  of  the  policy  rules  are  unambiguous  since 
they  are  defined  by  the  logic’s  semantics.  Hence,  logic  provides  a  rigorous  foundation 
for  defining  the  meanings  of  policies. 

-  A  logical  proof  that  shows  why  policy  rules  authorize  access  may  be  used  to  gain 
access,  and  it  may  also  be  logged  to  improve  the  accountability  of  the  access  control 
subsystem. 

-  Logical  inference  and  automatic  proof  search  based  on  it  can  be  used  to  implement 
the  policy  rules  directly.  This  point  is  elaborated  in  the  rest  of  this  thesis. 
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1.2  Technical  Background 

Having  justified  the  importance  of  logic  in  the  context  of  authorization,  we  now  turn  to 
technical  work  in  the  area  which  serves  as  background  for  the  thesis.  First,  we  describe 
some  existing  work  on  logics  that  are  well  suited  for  representing  policies  (called  authoriza¬ 
tion  logics)  and,  second,  we  describe  proof-carrying  authorization,  a  formal  mechanism  for 
enforcement  of  policies  represented  in  logic.  These  two  together  also  lead  directly  to  the 
motivation  for  this  thesis  (§1.3). 

1.2.1  Authorization  Logics 

Although  many  authorization  policies  may  be  represented  in  propositional  or  first-order 
logic  as,  for  example,  we  did  in  §1.1,  there  are  some  commonly  occurring  policy  idioms  that 
are  best  represented  with  specialized  logical  connectives  (see  §3.1.2  for  examples).  Many 
logics  with  such  specialized  connectives  have  been  proposed,  e.g.,  [5,  8,  13,  18,  54,  65-67,  88]. 
We  use  the  term  authorization  logic  to  designate  any  logic  that  has  been  designed  with  the 
explicit  purpose  of  representing  authorization  policies. 

In  addition  to  authorization  logics,  there  is  also  a  significant  amount  of  past  work  on 
logic-based  declarative  languages  for  writing  authorization  policies  and  determining  their 
consequences,  e.g,  [23,  26,  49,  52,  118].  Most  of  these  languages  have  a  syntax  that  re¬ 
sembles  the  syntax  of  logical  formulas,  and  their  inference  rules  are  often  based  on  logic 
programming. 

Although  we  postpone  a  comparison  of  different  authorization  logics  and  logic-based 
authorization  languages  to  later  chapters  (§3,  §4,  and  §9),  we  discuss  here,  in  brief,  one 
connective  that  is  common  to  many  authorization  logics  and  authorization  languages.  This 
connective,  written  k  says  s,  was  first  introduced  in  an  authorization  logic  by  Lampson  et 
al.  [8,  88].  k  says  s  means  that  principal  k  says,  claims,  or  supports  the  formula  s,  but  does 
not  imply  that  s  is  true.  The  connective  is  useful  for  representing  authority  of  principals 
on  parts  of  policies,  and  for  capturing  the  interactions  between  rules  created  by  different 
principals,  as  the  following  example  illustrates. 

Example  1.2.  Continuing  the  scenario  of  Example  1.1,  let  us  assume  that  there  are  three 
principals  involved  in  authorization:  (a)  admin  who  has  ultimate  authority  on  deciding 
who  should  have  access  to  the  dataset  d,  (b)  AuthCoHr  which  determines  team  affiliations 
of  employees  of  AuthCo,  and  (c)  Gov  which  determines  government  security  clearances. 
Accordingly,  the  policy  rules  (l)-(3)  from  §1.1  may  be  refined  by  the  rules  shown  below  to 
specify  these  authorities.  The  principal  who  certifies  (creates)  each  rule  is  indicated  at  the 
beginning  of  the  rule  in  square  brackets  [•]. 

la.  [admin]  For  every  principal  k,  if  AuthCoHr  certifies  that  k  works  for  GovTeam  and  Gov 
certifies  that  k  has  a  security  clearance,  then  k  is  allowed  to  read  dataset  d. 

2a.  [AuthCoHr]  Alice  works  for  GovTeam. 

3a.  [Gov]  Alice  has  a  government  security  clearance. 
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Using  the  connective  k  says  s,  these  rules  may  be  represented  as  follows. 

la’,  admin  says  Vfc.  (((AuthCoHr  says  worksFor(&:,  GovTeam))  A(Gov  says  hasClearance(fc)))  D 
may (k,  d,  read)) 

2a’.  AuthCoHr  says  worksFor(Alice,  GovTeam) 

3a’.  Gov  says  hasClearance(Alice) 

In  general,  principal  Alice  will  be  allowed  to  read  dataset  d  only  if  there  is  a  proof  of  the 
following  formula:  admin  says  may(Alice,  d,  read).  In  most  authorization  logics,  but  not  all, 
(la’)— (3a’)  entail  this  formula. 

1.2.2  Proof-carrying  Authorization  (PCA) 

Proof-carrying  authorization  (PCA),  earlier  called  proof-carrying  authentication,  is  a  rig¬ 
orous  mechanism  based  in  cryptography  and  formal  proofs  that  is  used  for  distributed  en¬ 
forcement  of  authorization  policies  represented  in  logic.  It  was  introduced  by  Appel  and 
Felten  [13],  and  has  since  been  used  for  access  control  both  on  the  web  [18]  and  in  physi¬ 
cal  devices  like  office  doors  [20],  as  well  as  in  language  interfaces  for  controlling  access  to 
sensitive  resources  like  files  [15,  41,  85].  Although  PCA  has  traditionally  relied  on  policies 
represented  in  higher-order  logic,  its  central  ideas  (listed  below)  generalize  to  any  autho¬ 
rization  logic. 

-  Principal  k'  should  be  allowed  to  perform  operation  o  on  resource  r  if  and  only  if 
k!  can  produce  a  formal  proof  which  shows  that  the  policy  rules  in  effect  entail  that 
access  should  be  allowed.  For  instance,  in  the  example  of  §1.1,  k!  would  have  to  prove 
the  formula  admin  says  may (P,  r,  o)  from  the  policy  rules  (la’)-(3a’). 

-  Policy  rules  may  be  established  using  digital  signatures:  if  principal  k  signs  the  formula 
s  with  its  private  key,  then  the  resulting  digital  certificate  is  evidence  that  k  says  s 
holds.1  (k  says  s  can  also  be  inferred  from  other  formulas  via  the  logic’s  inference 
system.) 

Based  on  these  ideas,  PCA  allows  distributed  enforcement  of  authorization  policies  repre¬ 
sented  in  logic  in  the  following  manner.  Administrators  sign  policy  rules  in  digital  certificates 
which  are  then  published  through  any  mechanism  (such  as  a  LDAP  server).  A  principal 
k'  desirous  of  access  selects  certificates  it  believes  relevant  to  authorizing  its  access,  and 
taking  the  policy  rules  instated  by  the  certificates  as  hypothesis,  constructs  a  logical  proof 
M  which  establishes  that  it  has  legitimate  access.  Along  with  its  request  to  perform  the 
access,  k'  also  provides  the  proof  M  and  the  certificates  used  in  it  to  the  reference  monitor 
(hence  the  adjective  “proof-carrying”).  The  reference  monitor  verifies  the  digital  certificates 
by  checking  the  digital  signatures  in  them,  and  also  verifies  the  logical  proof  M.  If  both 
checks  succeed,  the  access  is  allowed,  else  it  is  blocked. 

1In  a  lot  of  work  on  PCA  [13,  18,  20],  a  digital  certificate  establishes  a  formula  k  signed  s,  which  implies 
but  is  not  implied  by,  k  says  s.  However,  in  this  thesis  we  blur  the  distinction,  since  we  have  no  occasion  to 
use  k  signed  s. 
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Since  the  principal  requesting  access  must  provide  the  certificates  on  which  the  proof 
relies,  the  reference  monitor  is  freed  from  the  responsibility  of  tracking  all  policy  rules 
in  effect.  This  makes  PC  A  truly  distributed.  The  main  reason  that  PC  A  requires  that 
the  principal  requesting  access  provide  a  proof  authorizing  its  access,  as  opposed  to  the 
reference  monitor  finding  the  proof  itself  via  automatic  proof  search,  is  one  of  efficiency.  It 
is  a  well-known  fact  that  for  most  logics  proof  verification  is  straightforward  and  takes  time 
linear  in  the  size  of  the  proof,  whereas  the  time  for  proof  search  is  at  least  exponential  in 
the  size  of  the  hypotheses  and  the  formula  being  established;  in  most  cases  proof  search  is 
undecidable.  By  distributing  the  work  of  inference  to  principals,  PCA  not  only  prevents 
proof  search  from  making  the  reference  monitor  a  performance  bottleneck,  but  also  admits 
the  possibility  of  allowing  each  principal  to  use  other  information  such  as  its  knowledge  of 
context  and  state,  as  well  as  human  intervention  to  quickly  construct  proofs. 

Whereas  the  PCA  architecture  works  well  in  settings  like  web  services  where  commu¬ 
nication  delay  overshadows  verification  time  significantly,  for  low  level  interfaces  like  file 
systems,  even  proof  verification  at  each  access  becomes  a  performance  bottleneck  (this  is 
explained  in  Section  1.3).  As  a  result  in  these  situations,  PCA  is  not  appropriate,  and  one 
of  the  significant  contributions  of  this  thesis  is  a  rigorous  architecture  for  policy  enforcement 
that  overcomes  this  problem  (§5),  and  a  practical  demonstration  in  a  file  system  that  it  is 
actually  efficient  (§7). 

1.3  Motivation  for  the  Thesis 

There  are  three  main  motivations  for  the  work  in  this  thesis,  which  we  explain  in  this 
section. 

Motivation  1  (Proof-theoretic  foundations).  As  should  be  obvious  from  the  description  of 
proof-carrying  authorization,  logical  inference  and  proofs  play  a  significant  role  in  enforce¬ 
ment  of  policies  represented  in  logic.  Yet,  surprisingly,  prior  to  the  joint  work  of  the  author 
and  Pfenning  [67],  which  in  a  sense  forms  the  foundation  for  the  theoretical  ideas  in  this 
thesis,  there  was  hardly  any  systematic  investigation  of  proof  theory  of  authorization  logics. 
Authorization  logics  up  to  that  point  were  either  described  axiomatically  or  via  inference 
rules  that  had  little  justification  besides  the  fact  that  they  suited  the  intended  applications. 
Structural  proof  systems  such  as  natural  deduction  and  the  sequent  calculus  [70]  were 
missing,  as  was  a  description  of  metatheoretic  properties  of  authorization  logics,  such  as 
admissibility  of  cut  and  consistency.  Besides  their  use  in  proof-carrying  authorization,  good 
proof  theory  and  metatheoretic  properties  are  important  in  the  context  of  authorization  for 
the  following  reasons: 

-  Allowed  inferences  or  proofs  define  the  meanings  of  authorization  policies  and,  as  a 
result,  semantics  other  than  proof-theoretic  (model-theoretic,  Kripke,  set-theoretic) 
are  of  secondary  importance  for  authorization. 

-  Proof  theory  can  be  used  to  justify  the  foundations  of  the  logic  in  the  form  of  metathe¬ 
oretic  properties  like  cut  elimination  and  symbolic  consistency,  as  in  a  lot  of  prior  work 
on  other  logics  [39,  99,  115]. 
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-  Proof-theoretic  results  can  be  used  directly  in  practical  tools  such  as  provers  and 
verifiers,  both  of  which  are  essential  in  logic-based  enforcement  of  authorization. 

A  thorough  investigation  of  proof  theory  and  metatheory  of  a  specific  authorization 
logic  constitutes  a  significant  portion  of  the  theoretical  work  in  this  thesis  and  forms  the 
foundation  for  the  rest  of  the  thesis.  It  should  be  emphasized  here  that  owing  to  specialized 
constructs  like  the  modality  k  says  s  and  many  others  that  we  introduce  in  this  thesis,  proof 
theory  of  authorization  logics  is  non-trivial  and  proof-theoretic  results  from  classical  and 
intuitionistic  logics  do  not  directly  apply. 

Motivation  2  (Support  for  dynamic  policies).  As  was  illustrated  briefly  in  Example  1.1, 
allowed  accesses  in  practice  are  not  static,  but  change  with  time.  Being  able  to  express 
such  possibly  changing  (dynamic)  policies  in  an  authorization  logic  and  enforcing  them 
with  proof-carrying  authorization  is  a  significant  challenge,  and  forms  the  next  motivation 
for  this  thesis.  In  general,  dynamism  in  policies  can  be  of  different  types,  some  of  which  we 
summarize  below. 

-  Start  and  expiration-.  A  policy  rule  may  come  into  effect  at  a  stipulated  point  of  time. 
Similarly,  it  may  expire  at  a  stipulated  point  of  time.  Representing  either  of  these 
requires  that  there  be  an  explicit  representation  of  clock  time  in  the  logic. 

-  State  dependence:  An  authorization  may  be  allowed  only  while  the  system  is  in  a  cer¬ 
tain  state,  which  may  change  unpredict  ably.  Representing  state  dependence  requires 
a  syntax  to  mark  predicates  as  being  external  to  the  logic,  and  a  formal  incorporation 
of  system  state  in  the  proof  system. 

-  Consumption:  A  permission  may  be  usable  a  finite  number  of  times.  Representing 
such  permissions  requires  that  the  logic  be  able  to  count  resources. 

-  Revocation:  A  policy  rule  may  be  revoked  by  its  creator  at  a  time  that  is  not  pre¬ 
dictable,  e.g.,  because  the  rule  was  created  in  error.  Although  revocation  cannot  be 
represented  in  a  logic  (a  priori,  in  a  logic  the  hypotheses  are  assumed  to  hold),  it  is 
nonetheless  important  in  practice. 

Prior  to  the  work  of  the  author,  often  jointly  with  others  [54,  66] ,  there  was  no  systematic 
mechanism  to  represent  any  of  these  forms  of  policy  dynamism  in  authorization  logics. 
Logic-based  authorization  languages  included  limited  support  for  some  of  these  but  the 
solutions  lacked  a  logical  foundation  (see  §4.7  and  §9.4  for  a  discussion  of  some  of  this  work). 
In  this  thesis,  we  present  systematic  logical  ways  to  express  expiration,  state  dependence, 
and  consumption  in  authorization  logic,  and  describe  how  all  of  these  as  well  as  revocation 
may  be  enforced  in  an  extension  of  proof-carrying  authorization. 

Motivation  3  (Efficiency  of  enforcement).  Proof-carrying  authorization  (§1.2.2)  is  prac¬ 
tical  in  only  those  scenarios  where  proof  verification  can  be  performed  fast  enough  to  not 
make  the  reference  monitor  a  bottleneck  in  practice.  Although  the  exact  time  varies,  proof 
verification  in  practice  takes  several  milliseconds  at  the  least.  Most  of  this  time  is  spent 
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in  reading  proofs  and  certificates  from  storage,  and  in  parsing  them.  Whereas  this  time 
frame  is  acceptable  in  many  access  control  scenarios  such  as  network  services  and  in  physi¬ 
cal  devices  where  other  processes  like  network  communication  and  movement  of  mechanical 
parts  take  much  longer,  it  is  slow  enough  to  make  the  reference  monitor  a  bottleneck  in 
operation-intensive  applications  like  file  systems.2  Making  proof-carrying  authorization  ef¬ 
ficient  enough  for  use  in  operation-intensive  settings  like  file  systems,  without  losing  any 
of  its  rigorous  guarantees  forms  the  motivation  for  the  implementation  work  in  this  thesis. 
We  argue  in  this  thesis  that  PC  A  can  be  complemented  with  capabilities  to  attain  this 
efficiency,  without  losing  any  of  its  formal  rigor,  and  demonstrate  the  practicality  of  the 
architecture  through  a  file  system  implementation. 

Thesis  Statement.  Based  on  the  motivations  described  above,  the  statement  of  the 
thesis  is: 

“Logic,  grounded  in  strong  proof  theory ,  can  be  used  for  representing  and  reasoning 
about  dynamic  authorization  policies,  and  for  efficiently  enforcing  them.” 

1.4  Summary  of  Work  in  the  Thesis 

The  work  in  this  thesis  can  be  divided  roughly  into  three  parts:  (a)  Theoretical  work  on 
the  proof  theory  of  a  new  authorization  logic  called  BL,  (b)  The  design  and  implementation 
of  a  practical  file  system,  PCFS,  that  relies  on  the  logic’s  proof  theory  and  metatheoretic 
properties  for  representation  of  authorization  policies  and  their  enforcement,  and  (c)  A  case 
study  of  real  policies  for  access  control  on  classified  information  in  the  U.S.  to  demonstrate 
the  usability  of  both  BL  and  PCFS. 

The  logic  BL.  The  presentation  of  the  authorization  logic  BL  focuses  on  its  proof  theory 
and  metatheoretic  properties  for  reasons  mentioned  in  §1.3  (Motivation  1).  We  present  both 
a  natural  deduction  proof  system,  which  provides  an  intuitive  proof-theoretic  explanation 
of  the  meanings  of  connectives  and  forms  the  basis  of  proofs,  and  a  sequent  calculus,  which 
is  useful  for  proof  search  and  as  a  tool  for  proving  theorems  about  the  logic. 

The  choice  of  a  new  logic,  as  opposed  to  the  possibility  of  using  an  existing  authorization 
logic,  is  justified  because  BL  is  better  suited  to  representing  policies  than  existing  autho¬ 
rization  logics.  In  particular,  BL  is  intuitionistic,  first-order,  and  interprets  the  modality 
k  says  s  in  a  novel  way.  The  use  of  intuitionistic  logic,  as  opposed  to  prior  proposals  which 
were  classical,  is  explained  at  the  end  of  this  section.  First-order  quantification  is  impor¬ 
tant  because  it  arises  naturally  in  policies  that  often  are  generic  in  principals,  resources, 
etc.  Interestingly,  all  authorization  logics  prior  to  the  work  of  the  author  [67]  were  either 
propositional  or  higher-order,  although  some  logic-based  authorization  languages  allowed 
first-order  quantification,  e.g.,  [52],  The  unique  interpretation  of  k  says  s  in  BL  permits  the 
representation  of  certain  forms  of  delegation  that  are  important  in  practice;  this  is  justi¬ 
fied  in  §3.1.2.  We  formally  establish  the  expressiveness  of  BL  through  sound  and  complete 

2  To  confirm  this  hypothesis,  we  implemented  a  file  system  that  verifies  proofs  at  each  access,  and  noticed 
visible  delays  even  in  simple  operations  like  listing  directory  contents  in  a  shell. 
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embeddings  from  an  existing  authorization  logic,  and  an  existing  logic-based  authorization 
language  into  a  fragment  of  BL  (§3.5). 

Another  important  emphasis  in  the  design  of  BL  is  representation  and  enforcement  of 
dynamic  policies,  as  described  in  §1.3  (Motivation  2).  The  logic  BL  contains  explicit  time, 
as  well  support  for  predicates  that  are  external  to  the  logic  and  interpreted  directly  on 
the  state  of  the  system  (§4).  The  treatment  of  explicit  time  is  based  on  joint  work  with 
DeYoung  and  Pfenning  [54] ,  and  builds  on  ideas  from  DeYoung’s  undergraduate  thesis  [53] . 
Predicates  interpreted  on  the  state  of  the  system  are  novel  to  this  thesis.  An  extension 
of  BL,  called  BLl  uses  ideas  from  linear  logic  [71]  and  builds  on  prior  joint  work  of  the 
author  [66]  to  allow  for  representation  of  certificates  that  can  be  used  a  finite  number  of 
times  only  (§9). 

In  addition  to  proof  theory  and  metatheoretic  properties  of  BL,  the  thesis  also  considers 
their  practical  implications  in  the  form  of  procedures  for  proof  verification  and  proof  search. 
A  detailed  investigation  of  proof  terms  and  their  practical  verification  (which  is  complicated 
due  to  the  presence  of  explicit  time  and  state)  is  considered  in  §5.  A  practical  method  for 
proof  search  that  builds  on  the  proof  theory  and  literature  on  logic  programming  is  presented 
in  §6. 


The  file  system  PCFS.  As  observed  in  §1.3  (Motivation  3),  the  PC  A  idea  of  verifying 
proofs  during  each  call  to  the  reference  monitor  is  infeasible  in  heavily  used  settings  like  file 
systems  because  reading  and  parsing  of  proofs  and  certificates  makes  the  reference  monitor 
a  bottleneck.  Consequently,  this  thesis  proposes  and  demonstrates  the  implementation  of  a 
revised  architecture  where  the  work  of  proof  verification  is  offlined  to  trusted  verifier(s)  out¬ 
side  the  reference  monitor.  The  trusted  verifiers  issue  very  simple  cryptographic  capabilities 
in  return,  which  may  be  presented  to  the  reference  monitor  as  evidence  of  authorized  access. 
These  capabilities,  called  procaps,  can  be  verified  in  a  few  microseconds  each,  which  allows 
the  reference  monitor  to  handle  thousands  of  calls  a  second.  While  the  idea  of  offlining 
policy  enforcement  is  not  new,  and  may  seem  very  trivial,  what  makes  the  design  difficult 
and  technically  challenging  is  the  interaction  between  dynamic  policy  elements,  proofs  and 
procaps.  If,  for  example,  a  proof  relies  on  a  policy  rule  that  is  set  to  expire  at  a  stipulated 
time,  this  constraint  on  time  must  be  reflected  in  any  procap  generated  from  the  proof.  The 
procaps,  therefore,  are  conditional  on  those  policy  elements  in  proofs  that  are  dynamic. 

We  show  in  this  thesis  that  any  constraints  on  proofs  due  to  explicit  time  and  dependence 
on  system  state  can  be  systematically  extracted  in  the  proof  verification  procedure  and 
written  to  capabilities;  we  also  show  rigorously  that  the  extracted  constraints  suffice  to 
establish  that  the  original  proof  still  holds  at  a  later  point  of  time,  which  immediately  implies 
that  the  enhanced  architecture  is  equivalent  (in  terms  of  allowed  accesses)  to  PCA  (§5).  It 
therefore  achieves  high  efficiency  without  comprising  any  of  PCA’s  rigor.  As  a  practical 
demonstration  we  have  implemented  a  file  system,  PCFS,  that  uses  the  architecture  and 
through  experimental  measurements  we  show  that  the  file  system  allows  high  throughput 
of  up  to  several  thousand  file  system  calls  a  second  (§7).  We  also  discuss  how  the  other 
two  forms  of  policy  dynamism  listed  in  §1.3,  namely  revocation  and  consumption,  may  be 
implemented  through  procaps. 
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At  a  high-level  of  abstraction,  procaps  used  in  PCFS  are  similar  to  entries  of  a  cache 
that  a  reference  monitor  may  maintain  to  record  accesses  it  has  authorized  in  the  past. 
However,  procaps  are  more  general  than  cache  entries  since  they  scale  easily  to  decentralized 
settings  where  the  trusted  verifier  and  reference  monitor  are  running  on  different  nodes  of 
a  network.  Further,  as  opposed  to  a  reference  monitor  maintained  cache,  procaps  are  closer 
in  spirit  to  proof-carrying  authorization  where  the  principal  seeking  access  is  responsible  for 
maintaining  and  providing  evidence  to  authorize  access.  Another  merit  of  using  capabilities 
as  opposed  to  caches  is  that  both  the  design  and  implementation  of  the  access  control  system 
factor  into  two  parts  that  interact  via  capabilities  only:  (a)  The  front  end  that  deals  with 
policies,  proofs,  and  verification  of  proofs  and  certificates,  and  (b)  The  back  end  that  uses 
capabilities  to  authorize  access  and  perform  I/O.  Indeed,  the  PCFS  back  end  is  independent 
of  the  logic  used  in  the  front  end,  and  it  can  be  used  with  any  policy  infrastructure  that 
produces  compatible  capabilities. 

A  salient  feature  of  PCFS,  unrelated  to  logic,  is  its  backwards  compatibility  with  existing 
programs  and  nearly  complete  POSIX  compliance.  This  compatibility  is  the  result  of  two 
design  decisions.  First,  instead  of  requiring  that  procaps  be  passed  during  file  system  calls 
(which  would  require  a  change  to  the  system  call  API),  procaps  are  stored  in  a  central 
location  which  PCFS  looks  up  automatically.  Second,  files  created  by  a  program  remain 
accessible  to  it  temporarily  via  default  procaps  that  are  generated  by  the  file  system  itself. 
This  allows  programs  to  create  and  use  temporary  files  without  having  to  generate  proofs. 
As  a  result,  PCFS  is  able  to  run  most  existing  applications  including  word  processors 
and  spreadsheets  without  any  changes  to  the  applications  themselves,  which  makes  the  file 
system  practical. 


Case  study.  To  verify  and  demonstrate  the  expressiveness  of  BL  as  a  logic  for  representing 
authorization  policies,  and  of  PCFS  as  a  file  system  for  enforcing  them,  a  large  case  study 
of  policies  that  are  used  to  control  the  dissemination  of  classified  information  in  the  U.S.  is 
presented  in  §8.  The  policies  used  in  the  case  study  are  based  on  actual  data  obtained  from 
the  U.S.  intelligence  community  by  Symantec  Corporation,  and  given  to  Carnegie  Mellon 
University  as  part  of  a  joint  government  contract.  The  case  study  is  extensive  and  uses 
most  features  of  BL  including  its  support  for  explicit  time  and  system  state. 

On  the  Use  of  Intuitionistic  Logic  in  the  Thesis 

Following  prior  work  with  Pfenning  [67],  the  logic  BL  is  intuitionistic.  In  contrast,  older 
authorization  logics  were  classical  [8,  18,  20,  88].  The  move  from  classical  logic  to  intu¬ 
itionistic  logic  in  the  context  of  authorization  is  based  on  the  fact  that  intuitionistic  logic 
requires  constructive  evidence  for  formulas  whereas  classical  logic  does  not.  For  instance, 
in  intuitionistic  logic,  a  closed  proof  of  si  V  s 2  always  either  contains  a  closed  proof  of  si  or 
a  proof  of  S2  (modulo  proof  normalization).  This  is  not  the  case  in  classical  logic  wherein 
s  1  V  s 2  can  be  established  by  showing  that  the  simultaneous  falsity  of  si  and  S2  would  en¬ 
tail  a  contradiction.  Constructive  evidence  has  important  consequences  for  accountability 
in  authorization.  For  instance,  consider  the  following  two  policy  rules  p\  and  P2,  both  of 
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which  allow  access  to  an  office  door  (predicate  mayenter(x)).  p\  allows  employees  access 
on  weekdays,  and  p2  allows  managers  access  on  other  days,  i.e.  weekends. 

pi  :  V.x.  ((weekday  A  employee(x))  D  mayenter(.x)) 

P2  :  V.x.  (((-weekday)  A  manager(x))  D  mayenter(x)) 

Suppose  that  Alice  is  a  manager  and  an  employee,  and  let  e  and  m  be  proofs  that  establish 
these  to  be  the  case. 

e  :  employee(Alice) 
m  :  manager(Alice) 

Assuming  that  formulas  are  interpreted  classically,  let  dis  stand  for  an  instantiation  of  the 
law  of  the  excluded  middle  to  the  formula  (weekday  V  (-weekday)).  Then,  the  following  is 
a  proof  of  mayenter(Alice). 

case  (dis)  of 

ini  v  =>•  pi  Alice  (v,  e ) 

|  inr  w  =$■  p2  Alice  (w,  m) 

This  proof  simply  case  analyzes  the  disjuncts  in  (weekday  V  (-weekday));  in  one  case  it 
uses  pi ,  in  the  other  it  uses  P2 ■  The  important  observation  here  is  that  although  the  proof 
establishes  access  for  Alice,  it  does  not  make  the  reason  for  access  explicit.  More  specifically, 
the  proof  does  not  state  whether  Alice  has  access  because  it  is  a  weekday  and  she  is  an 
employee,  or  because  it  is  a  weekend  and  she  is  a  manager.  Clearly,  if  such  a  proof  were  to 
be  used  to  audit  any  specific  access  that  Alice  performed,  it  would  provide  little  insight. 

If  intuitionistic  logic  were  to  be  used  instead  of  classical  logic,  then  this  proof  would  be 
disallowed  since  dis  would  not  be  valid.  Instead,  Alice  would  be  forced  to  provide  evidence 
of  either  weekday,  or  of  -weekday.  In  either  case,  the  proof  would  contain  the  reason  for 
access  explicitly.  It  is  for  such  increased  accountability  that  intuitionistic  logic  has  been 
chosen  for  the  work  in  this  thesis. 

1.5  Contributions  of  the  Thesis 

This  thesis  makes  three  main  contributions  to  the  area  of  authorization  logics  and  their 
implementation,  as  well  as  several  minor  ones. 

Main  contributions.  The  three  main  contributions  of  the  thesis  are: 

•  Investigation  of  proof  theory  and  metatheoretic  properties  for  authorization  logics, 
illustrated  through  a  new  logic  BL 

•  Logical  treatment  of  dynamism  in  authorization  policies;  in  particular,  dependence 
on  state  and  consumable  credentials,  and  a  practical,  efficient,  and  provably  correct 
mechanism  for  enforcement  of  policies  dependent  on  state  as  well  as  explicit  time 

•  An  enhanced  PCA-based  architecture  for  enforcement  of  policies  expressed  in  logic 
that  is  efficient  enough  for  use  in  operation- intensive  systems,  and  its  practical  demon¬ 
stration  through  an  implementation  in  a  file  system,  PCFS 
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Minor  contributions.  In  addition,  the  thesis  makes  several  minor  contributions,  many 
of  which  are  technical  in  nature. 

•  The  new,  expressive  authorization  logic  BL  and  a  formal  justification  of  expressiveness 
via  translations  from  existing  policy  frameworks 

•  A  systematic,  proof-theoretic  description  of  a  proof  search  procedure  for  an  autho¬ 
rization  logic,  grounded  in  existing  work  on  logic  programming 

•  Detailed  investigation  of  properties  of  proofs  in  authorization  logic  and  their  verifica¬ 
tion 

•  A  detailed  case  study  of  policies  for  access  to  classified  information  in  the  U.S.  and 
their  formalization 

•  An  implementation  of  a  PCA-based  file  system  that  is  backwards  compatible  and 
largely  POSIX  compliant 

•  On  a  more  foundational  level,  a  logic  (BL)  whose  hypothetical  judgments  are  indexed 
by  first-order  terms,  and  where  truth  is  always  relativized  to  principals 


1.6  Aspects  of  Authorization  Not  Covered  in  the  Thesis 

Although  the  broad  theme  of  this  thesis  is  authorization  logics  and  their  applications,  certain 
aspects  of  the  use  of  authorization  logic  are  not  covered  in  the  thesis.  In  order  to  correctly 
qualify  the  scope  of  the  thesis,  we  list  these  out-of-scope  topics  below. 

-  Policy  administration:  The  thesis  does  not  cover  issues  of  how  responsibilities  of 
administering  different  parts  of  policies  are  distributed  to  individuals,  nor  how  they 
may  change.  Instead,  in  all  examples,  we  assume  that  these  are  provided  a  priori. 
Other  literature  on  policy  administration  deals  with  these  aspects,  e.g.,  [93,  126,  135]. 

-  Policy  authoring:  Tools  for  writing  policies  in  logical  form  are  not  covered  in  the 
thesis.  In  practice,  such  tools  are  necessary  because  policy  administrators  cannot  be 
expected  to  understand  formal  logic. 

-  Policy  storage  and  distribution:  We  do  not  describe  possible  ways  in  which  policy 
certificates  may  be  stored  or  distributed.  In  particular,  for  proof  search  (§6),  we 
ignore  the  issue  of  finding  relevant  certificates  that  may  be  needed  in  the  proof.  This 
problem  has  been  studied  extensively  in  the  past,  e.g.,  [21,  24,  46]. 

-  Correctness  of  policies  with  respect  to  intent  of  the  creator:  The  thesis  does  not 
consider  the  problem  of  whether  a  policy  represented  in  authorization  logic  has  the 
meaning  its  author  intended.  This  is  a  question  of  policy  analysis,  and  although  logical 
techniques  may  be  used  to  assist  in  addressing  the  problem  [5,  42,  67],  there  is  an 
element  of  subjectivity  in  it,  as  described  in  a  study  on  differences  in  human  intent 
and  actual  representation  of  access  policies  [19]. 
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-  Authentication:  We  implicitly  assume  that  there  is  a  mechanism  for  the  reference 
monitor  to  identify  the  principal  making  an  access  request.  For  PCFS,  which  runs 
as  a  kernel  service  in  Linux,  authentication  is  quite  trivial  since  the  POSIX  method 
getuidQ  is  used  to  identify  the  user  making  a  file  system  call. 


1.7  Outline  of  the  Thesis 

The  rest  of  this  thesis  is  organized  as  follows. 

In  §2,  we  provide  a  brief  overview  of  the  PCFS  architecture,  and  describe  how  its  various 
components  work  with  each  other  in  practice.  This  provides  a  perspective  for  the  work  in 
the  rest  of  the  thesis. 

§3  introduces  a  fragment  of  BL  called  BL5  that  contains  only  k  says  s  in  addition  to  the 
usual  connectives  of  first-order  logic.  After  a  discussion  of  an  axiomatic  proof  system  and 
some  examples,  proof  theory  (natural  deduction  and  sequent  calculus)  and  metatheoretic 
properties  like  admissibility  of  cut  are  introduced.  The  nature  of  the  says  modality  in  BL5 
is  elaborated  through  translation  to  a  previously  known  modal  logic,  and  the  expressiveness 
of  BLs  is  established  by  translating  two  known  policy  formalisms  into  it. 

§4  generalizes  the  work  in  §3  to  the  full  logic  BL  that  includes  explicit  time  and  pred¬ 
icates  interpreted  on  system  state,  thus  paving  the  way  for  representing  dynamic  policies. 
Again,  proof  theory  and  metatheory  are  investigated,  and  in  addition,  proof  normalization 
is  studied.  The  chapter  also  discusses  how  BL  is  used  in  PCFS. 

In  §5,  proof  terms  for  BL  are  studied  and  a  practical,  bidirectional  procedure  for  their 
verification  is  presented,  which  is  implemented  in  PCFS.  One  novel  contribution  of  this 
chapter  is  the  method  for  extracting  dynamic  policy  elements  from  a  proof,  and  a  proof 
that  these  elements,  together  with  verification  performed  by  trusted  proof  verifiers,  suffice 
to  authorize  access  correctly.  This  shows  that  the  PCFS  architecture  achieves  the  same 
security  guarantees  as  PC  A.  The  chapter  also  describes  the  structure  of  procaps  and  how 
they  are  verified,  as  well  enforcement  of  policy  revocation. 

§6  describes  the  method  of  proof  search  used  in  the  prover  included  in  PCFS.  Building 
on  ideas  from  existing  work  in  logic  programming,  the  chapter  identifies  a  very  expressive 
fragment  of  BL  on  which  goal-directed  search  is  complete,  and  proves  that  this  is  the  case. 

§7  describes  the  implementation  of  PCFS  in  detail.  In  particular,  it  discusses  how  the 
theory  in  §5  and  §6  is  used  in  practice.  It  also  describes  the  back  end  of  the  file  system  that 
includes  the  layout  of  files,  directories,  and  the  protection  of  configuration  files.  Performance 
measurements  establishing  the  high  efficiency  attained  by  PCFS  are  also  presented  in  this 
chapter. 

§8  presents  a  case  study  on  the  use  of  BL  and  PCFS.  The  case  study  considers  real 
policies  for  access  control  on  classified  information  in  the  U.S. 

§9  considers  an  extension  of  BL  with  ideas  from  linear  logic,  which  allows  representation 
of  credentials  that  can  be  used  a  fixed  number  of  times  only.  Proof  theory  and  metatheory 
of  this  extension,  BLl,  are  presented,  as  are  some  examples  of  its  use.  In  addition,  the 
chapter  describes  a  method  for  enforcing  consumable  credentials  in  the  PCFS  architecture. 
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§10  concludes  the  thesis  with  some  directions  for  future  work. 

Work  most  closely  related  to  each  chapter  is  presented  at  its  end.  Readers  interested  in  un¬ 
derstanding  only  PCFS  but  not  the  proof  theory  of  BL  are  advised  to  read  §2,  §4.1,  §4.3,  §5.2, 
and  §7. 
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Chapter  2 

An  Overview  of  the  Proof-Carrying 
File  System  (PCFS) 


This  chapter  provides  a  brief  overview  of  the  architecture  of  PCFS,  the  file  system  that 
is  designed  and  implemented  in  this  thesis.  The  purpose  of  presenting  the  architecture 
upfront  is  to  provide  a  perspective  for  both  the  theoretical  work  on  BL  (§3,  §4)  and  the 
description  of  proof  verification  and  proof  search  (§5,  §6),  as  well  as  to  highlight  the  overall 
merits  of  the  architecture.  Details  of  the  design,  implementation,  and  evaluation  of  PCFS 
are  postponed  to  §7. 

PCFS  builds  on  ideas  from  proof-carrying  authorization  (§1.2.2).  It  is  currently  im¬ 
plemented  as  a  local  file  system  for  the  Linux  operating  system,  but  its  architecture  has 
been  designed  to  support  distribution.  The  name  PCFS  is  an  acronym  for  Proof-Carrying 
File  System,  even  though  access  requests  in  PCFS  do  not  carry  proofs  as  they  do  in  proof¬ 
carrying  authorization.  Instead,  proof  verification  is  delegated  to  offline  trusted  verifiers 
that  are  invoked  prior  to  file  access. 

Briefly,  PCFS  works  as  follows.  The  access  policy  is  represented  as  logical  formulas  in  BL 
and  distributed  to  users  in  the  form  of  digital  certificates  signed  by  policy  administrators. 
A  user  constructs  formal  proofs,  which  show  that  the  policy  entails  certain  permissions  for 
her.  Each  proof  is  checked  by  a  trusted  proof  verifier  which  gives  the  user  a  signed  capability 
in  return.  This  capability,  called  a  procap  (for  proven  capability),  can  be  used  repeatedly 
to  authorize  access  to  file  system  operations;  the  file  system  checks  the  procap  each  time  it 
is  required  for  authorization.  Therefore,  policy  enforcement  in  PCFS  follows  the  path: 

Policy  — >  Proof  — >  Procap  — >  File  access 


2.1  The  PCFS  Architecture 

Figure  2.1  shows  the  PCFS  architecture.  Numbers  are  used  to  label  steps  in  order  in  which 
they  occur  in  practice.  Steps  1-6  deal  with  the  logic,  and  include  proof  generation,  proof 
verification,  and  creation  of  procaps.  These  steps  are  performed  in  advance  of  file  access, 
and  happen  infrequently  (usually  when  a  user  accesses  a  file  for  the  first  time) .  Once  procaps 
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Figure  2.1:  PCFS  architecture 


are  stored,  they  can  be  used  repeatedly  to  perform  file  operations  (steps  7-12).  The  solid 
black  vertical  line  in  the  diagram  separates  parts  that  happen  in  user  space,  i.e.  before  and 
after  a  file  system  call  (left  side  of  the  line)  from  those  that  happen  during  a  file  system  call 
(right  side  of  the  line).  In  the  following  we  describe  the  steps  of  Figure  2.1  in  some  detail. 

Policy  creation  (Step  1) .  A  policy  is  defined  as  a  set  of  formulas  in  the  logic  BL  (§4)  that 
determine  access  rights.  An  access  right  is  a  triple  (k,  /,  r/),  which  means  that  user  k  (Alice, 
Bob,  etc)  has  permission  r/  (read,  write,  etc)  on  file  or  directory  /.  A  policy  is  concretely 
represented  as  digital  certificates,  signed  by  individuals  who  create  it.  PCFS  provides  a 
command  line  tool,  pcfs-cert,  to  help  administrators  check  formulas  for  adherence  to 
logical  syntax,  to  digitally  sign  them,  and  to  convert  them  to  a  custom  certificate  format. 
(We  could  have  used  a  standard  certificate  format  like  X.509  [79],  but  found  it  easier  to 
create  our  own  format.) 

Proof  generation  (Steps  2—3).  Once  certificates  have  been  created  by  administrators 
and  given  to  users,  the  latter  use  them  to  show  that  they  are  allowed  certain  permissions 
in  the  file  system.  The  basic  tenet  of  PCFS,  as  in  PCA,  is  that  a  user  k  is  allowed  per¬ 
mission  f]  on  resource  /  at  time  u,  if  and  only  if  the  user  can  provide  a  formal  logical  proof 
M ,  which  shows  that  the  policy  in  effect,  T,  entails  a  fixed  formula  auth(/c,  /,  77,  u)  or,  in 
formal  notation,  ThM::  auth(/c,  /,  77,  u).  The  formula  auth(fc,  /,  77,  u)  (actually  a  logical 


16 


Chapter  2.  An  Overview  of  the  Proof-Carrying  File  System  (PCFS) 


judgment)  is  defined  in  §4.3. 

To  help  users  construct  the  proof  M ,  PCFS  provides  an  automatic  theorem  prover  for 
BL,  through  the  command  line  tool  pcf  s-search.  This  tool  is  based  in  logic  programming; 
its  underlying  theory  is  the  subject  of  §6.  Figure  2.1  shows  the  user  giving  the  policy 
(certificates)  to  the  proof  search  tool  in  step  2,  and  the  proof  search  tool  returning  a  proof 
in  step  3.  A  typical  proof  construction  in  PCFS  takes  several  hundred  milliseconds.  A 
salient  point  is  that  the  proof  search  tool  is  not  a  trusted  component  of  PCFS  and  a  user 
may  use  any  method  to  create  proofs. 

Proof  verification  (Steps  4—5).  Once  the  user  has  constructed  a  proof  M,  this  proof, 
together  with  the  certificates  used  to  construct  it,  is  given  to  a  proof  verifier,  invoked  using 
another  command  line  program  pcf  s-verify  (Step  4  in  Figure  2.1).  The  verifier  is  a  trusted 
component  of  PCFS.  It  checks  that  the  logical  structure  of  the  proof  M  is  correct,  and  that 
all  certificates  used  in  the  proof  are  genuine,  i.e.  their  digital  signatures  check  correctly.  If 
both  these  hold,  then  the  verifier  gives  back  to  the  user  a  procap,  which  is  a  capability  that 
mentions  the  right  (k,f,rf)  that  the  proof  grants  (Step  5).  The  procap  also  contains  some 
conditions  on  which  the  proof  depends  and  is  signed  using  a  shared  symmetric  key  that  is 
known  only  to  the  verifier  and  the  file  system  interface  (see  §7  for  details).  The  method  used 
for  verification  of  BL  proofs  and  extraction  of  conditions  from  them  is  discussed  in  §5.  A 
typical  proof  verification  including  creation  of  a  procap  takes  several  tens  or  a  few  hundred 
milliseconds,  depending  on  the  size  of  the  proof. 

Procap  injection  (Step  6).  After  receiving  a  procap,  the  user  invokes  another  command 
line  tool  to  put  the  procap  in  a  central  store,  marked  “Procap  Store”  in  Figure  2.1.  This 
store  is  in  a  designated  part  of  the  PCFS  file  system,  and  is  accessible  to  both  users  and 
the  system  interface.  The  system  interface  looks  up  this  store  to  find  relevant  procaps  when 
file  system  calls  are  made.  The  organization  of  the  store  is  described  in  §7. 

File  system  call  (Step  7).  A  call  to  the  PCFS  file  system  is  made  through  the  usual 
POSIX  file  system  API  during  the  execution  of  a  user  program.  PCFS  respects  the  standard 
POSIX  interface,  so  user  programs  and  shell  commands  don’t  need  to  change  to  work  on 
it.  However,  before  a  file  system  call  is  executed  the  user  or  the  program  must  ensure  that 
procaps  to  authorize  the  call  have  been  created  and  injected  using  Steps  2-6. 

Procap  look  up  and  checking  (Steps  8—10).  Once  a  program  has  made  a  file  system 
call  the  file  system  looks  up  one  or  more  procaps  to  authorize  the  operation  (Steps  9  and 
10).  Procaps  needed  to  authorize  common  operations  are  listed  in  §7.  If  all  relevant  procaps 
are  found,  they  are  checked.  Checking  a  typical  procap  takes  only  10-100//S  ( cf .  the  time 
taken  to  check  a  proof,  which  is  of  the  order  of  tens  or  hundreds  of  milliseconds).  Details 
of  procap  checking  are  presented  in  §5. 

Error  reporting  (Steps  11a,  12).  If  any  procap  needed  for  performing  the  requested 
file  operation  is  missing  or  fails  to  check  an  error  code  is  returned  to  the  user  program. 
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File  operation  (Steps  lib,  11c,  12).  If  all  relevant  procaps  needed  to  perform  the  re¬ 
quested  file  operation  are  found,  and  successfully  check,  then  the  file  operation  is  performed. 
In  the  current  implementation  of  PCFS,  actual  I/O  is  performed  by  redirecting  to  an  ex¬ 
isting  file  system  (Step  lib).  Hence  PCFS  is  a  virtual  file  system  that  layers  logic-based 
access  control  on  another  file  system. 


2.2  Comparison  to  Proof- Carrying  Authorization 

The  architecture  of  PCFS  extends  proof-carrying  authorization  (PCA)  [13]  with  procaps. 
The  PCFS  architecture  and  PCA  differ  in  at  least  two  ways.  First,  in  PCA,  a  proof  autho¬ 
rizing  access  is  verified  during  each  call  to  a  resource,  whereas  in  PCFS  proofs  are  verified  in 
advance  of  access  and  exchanged  for  procaps  that  authorize  system  calls.  This  allows  much 
higher  throughput  at  the  resources  (files)  because  checking  procaps  is  faster  than  checking 
proofs.  Experimental  measurements  of  the  performance  of  PCFS  are  presented  in  §7. 

The  second  difference  between  the  PCFS  architecture  and  PCA  is  more  an  artifact 
of  the  manner  in  which  the  latter  has  been  implemented  in  many  systems,  rather  than 
a  fundamental  distinction.  As  it  turns  out,  many  PCA  implementations  [18,  20]  use  a 
challenge  response  protocol  during  access,  as  part  of  which  the  principal  requesting  access 
is  given  a  nonce.  This  nonce  must  be  embedded  in  the  proof  used  to  authorize  access 
because  the  interface  does  not  learn  the  identity  of  the  principal.  This  implies  that  the 
proof  cannot  be  completed  in  advance  of  the  access  (although  most  parts  of  the  proof  are 
independent  of  the  nonce  and  can  be  constructed  in  advance).  The  PCFS  architecture,  on 
the  other  hand,  necessitates  that  the  entire  proof  be  constructed  and  verified  in  advance 
of  access  and  that  the  reference  monitor  learn  the  identity  of  the  principal  making  the  file 
system  call,  because  that  identity  is  matched  to  the  identity  listed  in  the  procap  used  for 
authorization. 

In  addition  to  these  differences,  the  logics  used  as  the  basis  of  many  PCA  implementa¬ 
tions  differ  significantly  from  BL.  These  differences  are  discussed  in  §3.7  and  §4.7. 


2.3  Merits  of  the  PCFS  Architecture 

Interestingly,  besides  the  obvious  merit  of  improving  throughput  in  access  to  resources,  the 
PCFS  architecture  has  two  other  significant  merits. 


Modularity.  Owing  to  the  separation  of  the  proof  verifier  from  the  reference  monitor,  the 
access  control  subsystem  factors  into  two  parts,  both  conceptually  and  in  the  implementa¬ 
tion:  (a)  the  front  end ,  which  understands  the  logic  and  digital  certificates,  and  performs 
proof  search  and  proof  verification  to  generate  procaps,  and  (b)  the  back  end,  which  checks 
procaps  to  authorize  access  and  performs  resource  access.  The  two  parts  only  interact 
through  procaps  and  are  otherwise  independent.  In  Figure  2.1,  the  front  end  corresponds 
to  steps  1-6  and  the  back  end  corresponds  to  steps  7-12.  This  factorization  has  the  following 
merits: 
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-  The  front  end  may  be  changed  to  support  a  different  logic,  or  even  replicated  to 
support  two  authorization  logics  simultaneously,  without  any  need  to  change  the  back 
end. 

-  The  same  front  end  can  be  used  with  different  back  ends. 

-  The  front  end  and  back  end  can  be  implemented,  tested,  and  debugged  separately, 
possibly  by  different  teams  having  expertise  in  logic  and  systems  programming  respec¬ 
tively.  For  example,  in  the  current  implementation  of  PCFS,  the  front  end  is  written 
in  SML,  while  the  back  end  is  written  in  C++  and  has  been  optimized  for  speed. 
There  are  no  compile  time  dependencies  between  the  two  parts.  However,  both  parts 
agree  on  a  common  structure  for  procaps. 

Backwards  compatibility.  By  storing  procaps  in  a  central  location  (“procap  store”  in 
Figure  2.1)  rather  than  requiring  programs  to  provide  them  at  the  time  of  access,  as  PCA 
does  for  proofs,  PCFS  is  able  to  maintain  backwards  compatibility  with  the  POSIX  file 
system  interface.  This  allows  existing  programs  to  run  without  modification,  provided  that 
enough  procaps  are  generated  in  advance  to  authorize  all  access  they  need.  A  complication 
arises  for  files  that  programs  create  while  they  execute,  in  particular,  temporary  files  that 
word  processors  and  spreadsheets  often  create.  To  allow  programs  to  access  such  files 
without  the  need  to  create  and  check  proofs,  the  file  system  automatically  generates  default 
procaps  that  give  the  creating  user  read  and  write  access  to  a  new  file  or  directory  for  a 
certain  period  of  time.  As  a  result,  even  sophisticated  software  like  word  processors  and 
spreadsheets  work  seamlessly  on  PCFS.  Access  through  default  procaps  can  be  turned  off  by 
changing  an  extended  attribute  on  the  file  or  directory  on  which  such  access  is  conditional. 


2.4  Related  Work 

Proof- Carrying  Authorization.  As  noted  earlier,  proof-carrying  authorization  was  first 
described  by  Appel  and  Felten  [13].  There  are  currently  two  large  implementations  of 
PCA  [18,  20].  The  more  recent  of  these,  called  Grey,  is  a  generic  architecture  for  access 
control  that  is  currently  deployed  for  access  to  office  doors  in  one  fioor  at  Carnegie  Mellon 
University.  More  recently,  Lesniewski-Laas  et  al.  [90]  have  described  an  extension  of  PCA  in 
which  credentials  define  not  only  authorization  policies  but  also  the  cryptographic  primitives 
and  credential  formats  that  may  be  used  to  incorporate  policies  from  external  systems. 

Vaughan  et  al.  [139]  describe  an  architecture  similar  to  PCA,  focusing  on  a  “proofs  as  log 
entries”  approach,  where  full  proofs  used  for  access  are  written  in  logs.  Their  architecture 
is  based  on  a  strongly  typed  language,  and  it  is  assumed  that  proofs  passed  to  the  reference 
monitor  are  correct  (so  there  is  no  need  for  proof-checking),  but  proofs  may  be  inspected 
subsequently  for  audit.  In  joint  work,  the  author  and  Chaudhuri  describe  a  compiler  that 
supports  PCA  like  interfaces  (in  particular,  PCFS)  by  automatically  inserting  code  to  gen¬ 
erate  and  verify  proofs  [41].  Avijit  et  al.  [15]  and,  independently,  Vaughan  et  al.  [85]  present 
programming  languages  whose  resource  access  APIs  are  guarded  by  proof-carrying  autho- 
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rization.  In  both  these  languages,  the  type  system  ensures  that  correct  proofs  are  presented 
at  each  access. 


Logic-based  authorization  in  Taos.  Prior  to  the  advent  of  proof-carrying  authoriza¬ 
tion,  Wobber  et  al.  designed,  implemented  and  tested  logic-based  authentication  and  au¬ 
thorization  for  the  distributed  operating  system  Taos  [143].  In  their  design,  a  logic  is  used 
to  authenticate  the  caller  to  the  callee  in  a  remote  procedure  call  (RPC):  through  logical 
inference,  the  callee  learns  the  identity  of  the  remote  principal  p  on  behalf  of  whom  the 
channel  c  over  which  the  call  comes  is  acting.  The  relation  between  c  and  p  is  expressed  as 
the  logical  formula  c  =>  p,  read  “c  speaks  for  p”  (the  logic  used  is  that  of  Lampson,  Abadi 
and  others  [8,  88]). 

Although  PCFS  does  not  directly  use  this  idea,  the  work  is  closely  related  to  PCFS  for 
two  reasons.  First,  the  callee  of  an  RPC  in  Taos  may  request  the  caller  to  provide  evidence 
which  establishes  c  =$■  p.  This  evidence,  which  is  encoded  as  an  S-expression,  is  similar  to  a 
logical  proof  and  contains  signed  certificates  at  its  leaves.  The  callee  verifies  the  evidence, 
and  in  the  process  learns  p.  In  this  sense,  the  work  on  Taos  is  a  precursor  to  proof-carrying 
authorization  since  the  latter  generalizes  the  idea  of  using  proofs  for  authentication  to  using 
proofs  for  authorization.  Second,  efficient  performance  of  the  authentication  mechanism  in 
Taos  relies  on  caching  of  proofs  and,  further,  cached  proofs  expire  automatically  when  the 
certificates  embedded  in  them  expire.  In  this  sense  too,  the  work  is  related  to  PCFS:  as 
mentioned  in  §1,  procaps  in  PCFS  generalize  the  idea  of  a  cache  of  authorizations  by  allow¬ 
ing  for  distribution,  and  enforce  not  only  time-based  expiration  but  also  state-dependent 
invalidation  of  proofs. 


Trust  Management  and  digital  certificates.  The  idea  of  using  digital  certificates 
to  represent  policies,  although  not  in  logical  form,  dates  back  at  least  to  the  description 
of  X.509  certificates  [79].  Prior  to  its  adoption  in  PCA,  the  idea  evolved  in  many  other 
policy  frameworks,  including  PolicyMaker  [33],  KeyNote  [31],  and  SPKI  [58].  To  the  best 
of  our  knowledge,  the  use  of  digital  certificates  to  establish  policies  in  logical  form  was  first 
considered  in  work  on  the  Taos  operating  system  discussed  above. 


Authorization  in  file  systems.  POSIX  standards  for  access  control  in  file  systems  [134] 
follow  the  UNIX  model  [137]  where  read,  write,  and  execute  permissions  for  the  owner  and 
the  owning  group  of  a  file  or  directory  are  stored  in  file  system  nreta-data.  File  systems 
that  use  this  model  include  early  versions  of  NFS  [125],  SFS  [100],  Truffles  [124],  and  most 
file  systems  for  UNIX-like  environments.  Access  control  in  other  file  systems,  including 
AFS  [130],  NTFS  [48],  NFSv4  [133],  CIFS  [77],  GSFS  [87],  and  most  file  systems  on  newer 
Linux  kernels,  relies  on  access  control  lists  that  allow  or  deny  permissions  to  all  users  (not 
only  the  owner).  Although  the  exact  number  and  kinds  of  permissions  vary,  this  model  is  an 
improvement  over  the  UNIX  model  since  it  allows  administrators  to  give  access  to  arbitrary 
users,  without  having  to  add  them  to  the  file’s  owning  group.  In  the  file  system  Bayou  [136], 
authorization  is  based  on  certificates  that  are  signed  by  a  single  trusted  administrator. 
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A  significant  limitation  of  both  the  UNIX  model  and  per-user  ACLs  is  that  there  is  no 
easy  way  to  allow  an  ordinary  user  to  give  permissions  to  other  users.  (As  explained  in  §3.1.2, 
this  kind  of  delegation  is  straightforward  in  PCFS.)  In  some  file  systems  like  AFS,  users 
may  be  given  administrative  rights  over  the  ACL  of  a  file  system  object,  through  which  they 
may  add  other  users  to  the  object’s  ACL.  However,  there  is  no  way  to  limit  this  authority, 
say,  to  specific  permissions.  In  file  systems  such  as  Truffles,  Bayou,  and  WebFS  [138]  users 
may  transfer  their  permissions  on  files  to  other  users  by  signing  certificates. 

File  systems  with  authorization  mechanisms  closest  to  those  of  PCFS  are  Echo  (the  file 
system  in  Taos  discussed  earlier),  DisCFS  [104],  WebDAVA  [91],  and  Fileteller  [81].  The 
last  three  of  these  use  the  Trust  Management  system  KeyNote  [31]  for  authorizing  access. 
Like  proof-carrying  authorization  and  PCFS,  trust  management  frameworks  admit  flexible 
policies  that  are  represented  in  digitally  signed  certificates.  However,  as  opposed  to  proof¬ 
carrying  authorization  and  PCFS,  inference  from  certificates  is  performed  by  the  reference 
monitor,  which  may  cause  problems  at  large  scales.  A  survey  article  by  Miltchev  et  al.  [105] 
reviews  and  compares  authorization  mechanisms  in  networked  file  systems. 

Many  existing  file  systems,  including  CapaFS  [123]  and  several  file  systems  for  network- 
attached  storage  disks  [10,  73,  112,  121],  use  capabilities  to  authorize  access.  However, 
capabilities  in  these  file  systems  differ  from  those  in  PCFS  significantly.  In  these  file  sys¬ 
tems,  capabilities  are  sufficient  to  authorize  access.  On  the  other  hand,  capabilities  in  PCFS 
are  only  a  tool  for  improving  efficiency  and  backwards  compatibility  -  access  is  still  con¬ 
tingent  on  proofs;  capabilities  only  carry  information  about  proof  verification  and  dynamic 
constraints  in  proofs  from  the  proof  verifier  to  the  reference  monitor  (§5). 
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Chapter  3 

BL^:  An  Authorization  Logic  for 
Static  Policies 


This  chapter  describes  an  authorization  logic  BLg,  which  is  suitable  for  expressing  static 
authorization  policies.  Static  authorization  policies,  as  opposed  to  dynamic  authorization 
policies,  do  not  rely  on  time  and  state.  §4  describes  a  larger  logic  BL  that,  unlike  BL5, 
contains  support  for  explicit  time,  constraints,  and  predicates  interpreted  on  the  state  of 
the  system.  These  features  can  be  used  to  express  dynamic  authorization  policies. 

BL5  is  an  extension  of  first-order  intuitionistic  logic  with  a  single  modality  k  says  s, 
which  means  that  principal  k  says,  claims,  or  supports  the  truth  of  formula  s  but  does 
not  imply  that  s  is  true.  In  practice,  the  modality  is  used  to  distinguish  policy  rules  and 
credentials  created  by  different  individuals.  For  example,  if  principal  k  signs  a  certificate 
containing  formula  s,  this  may  be  reflected  in  the  logic  as  the  formula  k  says  s.  Whereas 
the  idea  of  using  a  modality  of  this  nature  to  distinguish  policies  of  different  principals  is 
not  new,  and  goes  back  to  the  work  of  Lampson  et  al.  from  1992  [88],  the  proof-theoretic 
interpretation  of  the  modality  k  says  s  in  BLg  is  original. 

The  purpose  of  considering  BLg  separately  from  the  full  logic  BL  is  to  make  the  pre¬ 
sentation  easier  to  follow.  First,  working  with  a  simple  logic  like  BL5  makes  it  easier  to 
introduce  basic  concepts  of  structural  proof  theory  such  as  the  sequent  calculus  and  natural 
deduction,  as  well  as  their  metatheoretic  properties  like  admissibility  of  cut  in  the  con¬ 
text  of  authorization.  These  form  the  centerpiece  of  the  rest  of  this  thesis.  Second,  this 
chapter  considers  translations  from  two  existing  formalisms  for  expressing  authorization 
policies,  namely,  the  GP  logic  [67]  and  Soutei  [118],  to  BL5  and  compares  a  third  formal¬ 
ism,  Binder  [52],  to  BL5.  For  these  purposes,  there  is  no  need  to  consider  the  full  logic 
BL  because,  like  many  other  authorization  formalisms,  GP  logic,  Soutei,  and  Binder  do 
not  consider  explicit  time  or  state.  Third,  this  chapter  connects  BL5  to  the  modal  logic 
constructive  S4  [11,  115],  and  a  fragment  of  BL^  to  intuitionistic  first-order  logic  via  trans¬ 
lations.  These  translations  are  intended  to  explain  better  the  exact  nature  of  the  modality 
k  says  s  in  BL5  and  BL.  Finally,  it  is  also  an  objective  of  this  chapter  to  introduce  the  use 
of  authorization  logic  in  modeling  access  control.  The  latter,  although  not  a  contribution 
of  this  chapter  or  this  thesis,  will  be  very  helpful  to  the  uninitiated  reader  in  understanding 


23 


Chapter  3.  BL5:  An  Authorization  Logic  for  Static  Policies 


the  rest  of  this  thesis  and  is  best  introduced  with  fewest  possible  constructs. 

At  the  same  time,  there  are  several  important  aspects  of  an  authorization  logic  like 
BL^  that  are  omitted  from  this  chapter,  including  proof  terms,  proof  verification,  and  proof 
search.  These  aspects  are  discussed  for  the  full  logic  BL  in  §5  and  §6;  corresponding  aspects 
for  BL5  may  be  derived  as  special  cases. 

History.  Two  of  the  fundamental  ideas  advocated  in  this  chapter  and  thesis,  viz.  proof 
theory  in  the  context  of  authorization  and  the  emphasis  on  intuitionistic  logic  as  opposed 
to  classical  logic  which  was  the  de  facto  standard  in  the  area  for  a  long  time,  were  first 
introduced  in  joint  work  with  Pfenning  [67].  The  logic  used  in  that  paper,  called  the 
GP  logic  here,  treats  k  says  •  as  an  indexed  lax  modality  [28,  60,  115].  Although  that 
logic  and  similar  logics  by  Abadi  [5]  have  been  used  in  several  proposals  under  various 
names  [15,  45,  61,  65,  66,  85,  90,  139],  the  logic  BL  used  in  this  thesis  contains  a  weaker 
modality  k  says  •.  The  switch  from  the  GP  logic  to  BLg  was  motivated  by  three  criteria. 
The  first  and  most  important  of  these  is  the  ability  of  BL5  (and  the  inability  of  the  GP 
logic)  to  express  a  specific  form  of  delegation  of  authority  that  we  call  exclusive  delegation. 
This  form  of  delegation  arises  several  times  in  our  case  study  (§8)  and  is  described  in  §3.1.2. 
Second,  there  are  simple  translations  from  three  existing  policy  formalisms  -  the  GP  logic, 
Soutei,  and  a  fragment  of  Binder  -  into  BL5  (§3.5).  As  a  result,  BLg  is  provably  at  least  as 
expressive  as  each  of  these  formalisms  (and,  in  particular,  BLg  is  at  least  as  expressive  as 
the  GP  logic).  In  contrast,  we  do  not  know  of  translations  from  BLg,  Soutei,  or  Binder  into 
the  GP  logic.  Third,  BL5  admits  goal-directed  proof  search  that  is  complete  with  respect 
to  its  proof  rules  (§6),  which  the  GP  logic  may  or  may  not.  Goal-directed  proof  search 
forms  the  basis  of  the  automatic  proof  search  tool  included  in  PCFS. 

The  nature  of  the  says  modality  in  BL  is  similar  to  that  in  the  trust  management 
frameworks  [118]  and  the  policy  language  Binder  [52],  and  the  name  BL  is  an  abbreviation 
for  “Binder”  Logic  as  a  tribute  to  this  inspiration.  However,  there  is  a  significant  difference 
between  Binder  and  BL  -  the  former  is  a  specialized  declarative  language  for  writing  policies, 
while  the  latter  is  a  logic.  Most  of  the  technical  content  in  this  chapter  generalizes  previous 
work  on  the  propositional  fragment  of  BL5  [64,  Section  5.5],  and  on  the  propositional 
fragment  of  a  closely  related  logic  DTLo  [63,  64] . 

3.1  Syntax  and  Axioms 

BLs  extends  first-order  intuitionistic  logic  with  a  modality  k  says  s,  which,  as  explained 
earlier,  means  that  principal  k  states,  claims,  or  supports  that  formula  s  is  true.  Predicates 
P  express  relations  between  terms  that  are  either  ground  constants  a,  bound  variables  x,  or 
applications  of  uninterpreted  function  symbols  /  to  ground  terms.  Terms  are  classified  into 
sorts  a  (sometimes  called  types).  We  stipulate  at  least  one  sort  principal  whose  elements 
are  represented  by  the  letter  k.  Formulas  s  may  either  be  atomic  (p,  q )  or  they  may  be 
constructed  using  the  usual  connectives  of  predicate  logic  and  the  special  connective  k  says  s. 
As  a  convention,  we  do  not  write  parenthesis  or  commas  when  applying  arguments  to  a 
predicate,  writing  an  atomic  formula  as  P  t\  . . .  tn  instead  of  the  more  common  form 
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P(ti, . . .  ,tn)  because  it  makes  examples  easier  to  read. 


Sorts 

a  ::=  principal  |  . . . 

Terms 

t,k  ::=  a  \  x  \  f(ti, .... 

tn)  |  £ 

Predicates 

P 

Atoms 

p,q  ::=  Pt\...tn 

Formulas 

r,s  ::=  p  rAs  rVs 

|  r  D  s  T  _L  \/x:a.s  3x:a.s  k  says  s 

Negation  is  not  a 

primitive.  If  required,  it  may  be  defined  as  u  =  (s  D  1). 

Throughout  this  thesis,  the  letter  X  denotes  a  finite  partial  map  from  term  variables 
to  sorts,  concretely  represented  as  X  =  xi:a±, . . .  ,xn:crn.  We  often  call  X  a  sorting.  The 
judgment  X  b  t  :  <7  means  that  term  t  has  sort  a  given  the  assignment  of  sorts  to  variables 
X.  We  assume  the  following  property  of  this  judgment. 

(T-weaken)  X  b  t  :  a  implies  X,  x:a'  b  t :  a 

Further,  a  stipulated  signature  specifies  the  sorts  of  arguments  that  function  symbols 
take  and  the  sort  that  they  return,  as  well  as  sorts  of  arguments  of  predicates,  but  we  do  not 
write  the  signature  explicitly.  In  a  similar  manner  we  elide  the  details  of  a  formal  system  of 
rules  to  check  the  well-formedness  of  syntactic  constructs  like  formulas.  Although  for  most 
logics  well-formedness  just  means  adherence  to  the  grammar,  this  is  not  the  case  for  logics 
considered  in  this  thesis.  For  instance,  well-formedness  of  k  says  s  requires  not  only  that  k 
adhere  to  the  syntax  of  terms  but  also  that  k  have  sort  principal  (in  the  prevalent  sorting). 
These  checks  can  easily  be  added  to  the  proof  systems  presented  here,  as  in  prior  work  [67] . 

In  addition  to  the  judgment  XL  t  :  a,  proof  systems  of  BL5  are  also  parameterized  by 
a  judgment  X  h  k  >z  k! ,  read  k  is  stronger  than  k' ,  or  k  has  more  authority  in  creating 
policies  and  credentials  than  k' .  Formally,  X  b  k  P  k'  has  the  consequence  that  ( k  says  s)  D 
( k '  says  s)  for  any  s  that  is  well-formed  in  X.  As  a  result,  the  relation  ^  can  be  used  to 
capture  hierarchies  in  policy  administration.  It  is  implicitly  assumed  that  Xhl:  principal 
and  X  b  k'  :  principal  whenever  XL  k  >z  k' .  Although  we  do  not  stipulate  a  definition  for 
the  judgment  X  b  k  >z  k' ,  we  require  that  it  satisfy  the  following  properties. 

(O-refl)  XL  k  P  k 

(O-trans)  X  b  k  >z  k!  and  X  b  k'  b  k"  imply  X  F  k  b  k" 

(O-weaken)  XL  kPk!  implies  X,  x:a  b  k  b  k' 

(O-subst)  X,x:er  b  k  b  k!  and  X  b  t  :  a  imply  X  b  k[t/x]  b  k'[t/x\ 

(O-refl)  and  (O-trans)  imply  that  X  b  k  b  k'  defines  a  preorder  on  principals.  We  also 
assume  a  distinguished  strongest  principal  £  satisfying  the  following  property  for  every 
principal  k. 

(O-loca)  X  b  £  b  k 

£  is  called  the  “local  authority”,  a  term  borrowed  from  the  implementation  of  the  language 
SecPAL  [3].  We  often  abbreviate  X  b  k  b  k'  to  k  y  k!  when  X  is  clear  from  the  context  or 
irrelevant.  The  full  logic  BL  internalizes  the  order  kPk!  into  the  syntax  of  formulas  (§4). 
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3.1.1  Axiomatic  Proof  System 

Our  focus  in  this  chapter,  and  thesis  in  general,  is  on  structural  proof  theory,  i.e.  natural 
deduction  and  sequent  calculi.  However,  for  the  convenience  of  readers  unfamiliar  with 
these,  we  describe  BLg’s  modality  k  says  s  using  axioms.  We  write  £  b^  s  to  mean  that 
formula  s  is  valid  or  provable  without  hypothesis  assuming  the  sorting  £  for  free  variables. 
All  variables  free  in  s  must  occur  in  the  domain  of  £.  (The  subscript  7 ~L  represents  a 
Hilbert-style  system  of  proofs).  The  following  axioms  and  rules  for  says,  together  with 
any  complete  axiomatization  of  first-order  intuitionistic  logic  and  two  additional  rules  for 
quantifiers,  constitute  a  deduction  system  for  BL5.  A  complete  axiomatization  for  BL5  is 
presented  in  Appendix  A. 

£  bw  s 
£  b-ft  k  says  s 

£  b-ft  (k  says  (si  A  S2))  A  ((k  says  si)  A  ( k  says  S2))  (K) 

£  bft  (k  says  s)  A  k'  says  k  says  s  (I) 

£  b ft  k  says  ((k  says  s )  A  s)  (C) 

£  b -H  ( k  says  s)  A  k'  says  s  if  £  b  k  >z  k!  (S) 

Rule  (N)  means  that  each  principal  states  at  least  all  tautologies.  Axiom  (K)  means  that  the 
statements  of  each  principal  are  closed  under  implication.  Together  they  imply  that  each 
(k  says  •)  is  a  normal  modality  (see  e.g.,  [59]).  Axiom  (I)  was  first  suggested  in  the  context 
of  access  control  by  Abadi  [4],  It  means  that  if  principal  k  says  s,  then  every  principal 
k'  says  that  k  says  s.  Axiom  (C),  an  abbreviation  for  conceit,  states  that  every  principal 
k  claims  that  each  of  its  statements  is  true.  This  axiom  is  peculiar  to  BLg  and  gives  its 
says  modality  a  unique  meaning.  It  is  not  needed  to  derive  useful  consequences  from  most 
policies  represented  in  BLg  but  is  necessary  to  prove  completeness  of  the  axiomatic  system 
with  respect  to  the  natural  deduction  system  and  the  sequent  calculus  (Theorem  3.13). 
(S)  means  that  statements  of  each  principal  are  supported  by  all  weaker  principals.  In 
particular,  (£  says  s)  A  k  says  s  for  each  k  and  s. 


(N) 


Admissible  and  inadmissible  properties.  We  list  below  some  theorems  and  non¬ 
theorems  in  BL5,  primarily  to  give  the  reader  a  better  intuition  about  the  nature  of  the 
logic.  These  properties  can  be  established  easily  using  the  sequent  calculus  for  BL5,  which 
we  present  in  §3.2.3.  The  notation  — »  s  means  that  for  every  formula  of  the  form  of  s  and 
every  £  whose  domain  contains  the  free  variables  of  s,  it  is  the  case  that  £  b ^  s.  />  s 
denotes  its  converse,  s  =  s'  denotes  ( s  A  s')  A  (s'  A  s). 

1.  />T 

2.  />  (k  says  s)  A  s 

3.  />  (k  says  1)  A  1 

4.  />  s  A  k  says  s 
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5.  />  (k  says  s)  A  (k  says  k!  says  s) 

6.  — >  ( k  says  (si  A  S2))  =  (( k  says  si)  A  ( k  says  S2)) 

7.  — >  (( k  says  si)  V  ( k  says  S2))  A  ( k  says  (si  V  S2)) 

8.  />  ( k  says  (si  V  S2))  A  (( k  says  si)  V  ( k  says  S2)) 

9.  />  ((&  says  si)  A  ( k  says  S2))  A  ( k  says  (si  A  $2)) 

10.  — >  ( k  says  \/x:a.s )  A  Vx:cr.(fc  says  s) 

11.  />  ( \/x:a.(k  says  s))  A  A:  says  \/x:a.s 

12.  — >  (zte:a\(£;  says  s))  A  k  says  Elaxcr.s 

13.  />  (/c  says  3x:cr.s)  A  zte:<r.(fc  says  s) 

(1)  is  a  statement  of  consistency  of  BL5  -  falsehood  is  not  provable  without  hypothesis.  (2) 
means  that  there  are  statements  that  principals  may  make,  which  are  not  necessarily  true; 
in  particular,  _L  is  such  a  statement  (3).  These  two  properties  are  extremely  important  in  an 
enforcement  based  on  proof-carrying  authorization  because  principals  are  not  constrained 
in  what  policy  rules  they  may  issue.  (4)  means  that  not  every  true  statement  is  stated  by 
every  principal.  This  may  seem  counter-intuitive  but  is  necessary  to  delegate  authority  in 
some  cases  (see  §3.5.1  for  details).  (5)  states  that  even  the  weaker  case  of  (4)  where  s  has 
the  form  k  says  s'  does  not  hold.  As  (6)  shows,  says  can  be  commuted  with  A  without 
affecting  provability.  In  fact,  A  is  the  only  connective  with  which  says  commutes  in  this 
manner.  As  (7)-(13)  show,  for  every  other  connective  commutation  with  says  preserves 
provability  in  exactly  one  direction. 

Example  3.1.  We  consider  a  hypothetical  example  of  access  control  based  in  the  intelli¬ 
gence  community.  The  example  is  based  on  a  larger  case  study  on  the  subject,  presented 
in  entirety  in  §8.  Suppose  that  in  a  hypothetical  intelligence  agency  each  file  and  each 
individual  has  a  classification  level  from  the  ordered  set  confidential  <  secret  <  topsecret. 
Three  distinguished  principals  participate  in  access  control:  admin  who  has  the  ultimate 
authority  on  granting  access,  system  who  is  responsible  for  governing  files  (e.g.,  setting 
their  ownership  and  classification  levels),  and  hr  who  is  responsible  for  governing  individ¬ 
uals  (e.g.,  giving  them  classification  levels).  Figure  3.1  shows  the  policy  rules  that  control 
access  (numbered  (l)-(5))  as  well  as  some  additional  credentials  needed  to  get  access  in  a 
specific  case  (numbered  (6)-(9)). 

In  order  that  principal  k  may  read  file  /,  the  following  formula  must  be  established  from 
the  policies  in  effect:  admin  says  (may  k  f  read).  This  is  possible  if  k  has  a  classification 
level  above  the  file  (predicate  hasLevelForFile  k  /),  and  k  gets  permission  from  the  owner 
of  the  file.  This  is  captured  in  policy  rule  (1)  which  is  created  by  admin.  For  readability, 
we  omit  all  sort  annotations  from  quantifiers.  Precisely,  policy  rule  (1)  means  that  (admin 
says)  whenever  k  has  the  appropriate  clearance  level  to  read  file  /,  system  says  that  k' 
owns  /,  and  k'  says  that  k  may  read  /,  then  k  may  indeed  read  /.  Observe  that  this  rule 
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Common  rules: 

admin  says  Vk,  k! ,  /. 

(1)  (((hasLevelForFile  k  f)  A  (system  says  (owns  k'  /)) A 

(k'  says  (may  k  f  read)))  D  may  k  f  read) 
admin  says  Vk,  /,  l,  V . 

(2)  (((system  says  (levelFile  f  l ))  A  (hr  says  (levelPrin  k  l1)) A 

(below  l  l'))  D  hasLevelForFile  k  /) 

(3)  £  says  (below  confidential  secret) 

(4)  £  says  (below  secret  topsecret) 

(5)  £  says  (below  confidential  topsecret) 

Additional  credentials  for  example  scenario: 

(6)  system  says  (levelFile  secret.txt  secret) 

(7)  system  says  (owns  Alice  secret.txt) 

(8)  hr  says  (levelPrin  Bob  topsecret) 

(9)  Alice  says  (may  Bob  secret.txt  read) 

Figure  3.1:  Simplified  policies  for  control  of  classified  information 


illustrates  how  two  common  policy  motifs  may  be  encoded  in  authorization  logic:  (a)  admin 
delegates  control  over  the  predicate  owns  to  principal  system,  and  (b)  the  file’s  owner  k 1  is 
given  discretionary  control  over  access  to  it. 

Policy  rule  (2)  defines  the  predicate  (hasLevelForFile  k  f)  further  in  terms  of  clas¬ 
sification  levels  of  k  and  /  (formulas  (levelPrin  k  l )  and  (levelFile  /  l ),  respectively). 
Observe  again  that  control  over  levelPrin  is  delegated  to  the  principal  hr  whereas  control 
over  levelFile  is  delegated  to  system.  The  formula  (below  l  l')  captures  the  order  l  <  l' 
between  classification  levels  (policy  rules  (3)-(5)).  Since  we  assume  that  all  principals  agree 
on  this  order,  rules  (3)-(5)  are  stated  by  the  strongest  principal,  the  local  authority  t. 

As  an  illustration  of  the  use  of  policy  rules  ( 1)— (5) ,  let  us  assume  that  file  secret.txt 
owned  by  Alice  is  classified  at  the  level  secret.  Suppose  that  Bob  is  an  employee  cleared  at 
level  topsecret,  and  further  that  Alice  wants  to  let  Bob  read  file  secret.txt.  This  information 
is  captured  in  formulas  (6)-(9).  Using  the  axioms  and  rules  of  BLg  presented  earlier  (l)-(9) 
entail  admin  says  (may  Bob  secret.txt  read).  Some  of  the  initial  steps  in  this  derivation  are 
as  follows.  First,  by  instantiating  the  universal  quantifiers  in  (2),  we  obtain: 

admin  says 

(((system  says  (levelFile  secret.txt  secret))A 
(3.1)  (hr  says  (levelPrin  Bob  topsecret))A 

(below  secret  topsecret)) 

D  hasLevelForFile  Bob  secret.txt) 

Basic  propositional  axioms  and  (K)  yield 

((admin  says  system  says  (levelFile  secret.txt  secret))A 
,  .  (admin  says  hr  says  (levelPrin  Bob  topsecret))A 

'  ’  (admin  says  (below  secret  topsecret))) 

D  admin  says  (hasLevelForFile  Bob  secret.txt) 
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Using  axiom  (I)  with  (6)  and  (8)  gives 


(3.3) 


admin  says  system  says  (levelFile  secret.txt  secret) 


(3.4) 


admin  says  hr  says  (levelPrin  Bob  topsecret) 


Similarly,  axiom  (S)  on  (4)  gives 


(3.5) 


admin  says  (below  secret  topsecret) 


Three  applications  of  modus  ponens  on  (3.2)  and  (3.3)-(3.5)  now  yield1 


(3.6) 


admin  says  (hasLevelForFile  Bob  secret.txt) 


The  rest  of  the  proof  now  proceeds  similarly:  axiom  (K)  is  now  applied  to  (1),  then  axiom 
(I)  is  applied  to  (7)  and  (9),  and  finally  admin  says  (may  Bob  secret.txt  read)  is  obtained  by 
modus  ponens. 

It  is  instructive  to  observe  the  role  of  axiom  (I)  in  injecting  the  statements  (6)  and  (8)  of 
principals  system  and  hr  into  the  statements  of  admin  (3.3),  (3.4).  Also,  noteworthy  is  the 
use  of  axiom  (S)  in  converting  statement  (4)  made  by  i  to  a  statement  made  by  admin  (3.5). 
Without  axioms  (I)  and  (S)  it  would  be  impossible  to  derive  the  expected  authorization. 

Connection  to  practice.  As  mentioned  in  §1.2.2,  formulas  of  the  form  k  says  s  are 
special  when  enforcement  is  based  on  proof-carrying  authorization  because  such  formulas 
can  be  established  in  two  different  ways.  First,  like  all  other  formulas,  they  may  be  derived 
using  inference  rules  and  axioms.  Second,  they  can  be  established  directly  -  principal  k 
may  write  the  formula  s  in  a  digital  certificate  and  sign  it  with  her  private  key.  In  proof¬ 
carrying  authorization,  this  digitally  signed  certificate  is  evidence  that  k  says  s  holds.  In 
fact,  for  a  logic  like  BL5,  this  is  the  only  primitive  way  of  discharging  a  hypothesis.  From 
the  perspective  of  enforcement,  there  is  no  difference  between  common  policy  rules  such 
as  (l)-(5)  of  Figure  3.1,  and  case  specific  credentials  like  (6)-(9).  Both  are  concretely 
established  through  digitally  signed  certificates  containing  logical  formulas. 

If  proof-carrying  authorization  is  used  to  enforce  these  policies,  then  in  order  to  get 
access  to  secret.txt  in  the  above  example  Bob  would  give  the  proof  which  shows  that  (1)— 
(9)  establish  admin  says  (may  Bob  secret.txt  read)  to  the  reference  monitor  that  is  protecting 
files,  together  with  the  certificates  that  establish  (l)-(9).  The  reference  monitor  would  then 
check  the  proof  and  the  certificates,  and  allow  access  if  both  checks  succeed.  Of  course, 
it  may  not  be  very  convenient  for  Bob  to  either  find  the  proof  or  represent  it  using  an 
axiomatic  system.  For  such  purposes,  structural  proof  theory  may  be  more  appropriate. 

3.1.2  Expressible  and  Inexpressible  Policy  Idioms 

As  further  illustration  of  possible  use  of  BLg,  and  authorization  logics  in  general,  we  give 
examples  of  some  idioms  that  appear  often  in  access  policies  and  discuss  whether  or  not  they 

1Modus  ponens  is  a  fundamental  rule  in  axiomatic  proof  systems  which  states  that  bH  (s  D  s')  and  b n  s 


imply  b n  s'. 
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can  be  expressed  in  BLg.  The  purpose  of  this  section  is  explanatory,  primarily  to  show  how 
BLg  can  be  used  in  practice.  A  secondary  objective  is  to  compare  existing  authorization 
logics  and  logic-based  languages  for  writing  authorization  policies  (e.g.,  [4,  8,  23,  26,  49,  52, 
67,  88,  118,  143])  in  terms  of  their  ability  to  express  these  idioms. 

Distributed  Policies.  In  distributed  systems  parts  of  policies  may  be  created  by  differ¬ 
ent  individuals.  As  Example  3.1  illustrates,  rules  created  by  different  individuals  can  be 
represented  and  combined  in  BLg  using  the  says  connective.  This  use  of  the  says  connec¬ 
tive  is  not  unique  to  BLg  (although  the  specific  logical  behavior  of  says  is).  The  operator 
was  first  introduced  by  Lampson  et  al.  [8,  88]  for  exactly  this  purpose,  and  has  subse¬ 
quently  been  adapted  in  many  proposals  for  expressing  distributed  authorization  policies 
(e.g.  [23,  26,  52,  67,  118]). 

Access  control  lists  (ACLs).  Although  abstracting  policies  from  low  level  enforcement 
mechanisms  like  access  control  lists  is  one  of  the  primary  reasons  to  use  an  authorization 
logic,  ACLs  can  be  encoded  in  an  authorization  logic  easily.  Using  notation  from  Exam¬ 
ple  3.1,  suppose  that  the  principal  admin  has  ultimate  authority  on  deciding  access.  Then 
admin  may  simulate  ACLs  in  the  system  in  any  authorization  logic  including  BLg  by  issuing 
one  certificate  for  each  entry  in  the  ACLs,  e.g., 

admin  says  (may  Alice  foo.txt  write) 
admin  says  (may  Bob  bar. pdf  read) 


Roles  and  groups.  Roles  and  groups  of  principals  are  used  to  ease  administration  of 
access  policies,  when  a  set  of  individuals  have  access  to  exactly  the  same  set  of  resources. 
Roles  and  groups  can  be  expressed  very  easily  in  any  logic  including  BLg.  As  an  example, 
the  case  where  all  members  of  a  group  G  have  read  access  to  all  files  in  the  set 
can  be  expressed  by  the  following  set  of  n  policy  rules. 

admin  says  V/r.  ((member  k  G)  D  (may  k  f\  read)) 

admin  says  V/c.  ((member  k  G)  D  (may  k  fn  read)) 

where  member  k  G  is  a  predicate  which  means  that  k  is  a  member  of  group  G.  Members 
can  be  added  to  the  group  G  by  signing  certificates  of  the  following  kind. 

admin  says  (member  Alice  G) 
admin  says  (member  Bob  G) 


If  there  are  m  principals  in  G  and  n  files,  this  encoding  requires  that  admin  issue  m  +  n 
certificates,  whereas  a  naive  encoding  using  access  control  lists  would  require  mn  certificates 
(one  for  each  pair  of  a  file  and  a  principal). 
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Delegation.  In  a  distributed  system  a  principal  k  may  delegate  some  or  all  of  its  authority 
in  making  policies  to  another  principal  k' .  What  this  means  is  that  if  k'  makes  a  policy 
rule  regarding  a  subject  that  has  been  delegated  to  it,  then  k  will  endorse  the  rule  as  well. 
There  are  several  different  kinds  of  delegation,  of  which  we  discuss  four  here. 

The  first  kind  of  delegation,  which  we  call  limited  delegation ,  occurs  when  a  principal  k 
delegates  to  principal  k'  authority  over  a  predicate,  or  in  general,  over  a  specific  formula  s. 
Such  a  delegation  can  be  expressed  in  BLg  as  the  formula  k  says  (( k '  says  s)  D  s).  Many 
examples  of  this  form  appear  in  §8.  For  this  encoding  to  have  its  intended  effect,  i.e.  for  this 
formula  and  k'  says  s  to  entail  k  says  s,  the  logic  has  to  be  reasonably  strong.  In  particular, 
axiom  (I)  must  be  admissible  in  the  logic.  A  number  of  early  authorization  logics  such 
as  [8,  88]  do  not  satisfy  this  axiom.  Expressing  limited  delegation  in  these  logics  is  difficult 
and  requires  a  rich  algebraic  structure  on  principals.  The  logic  ICL6  enhances  the  algebraic 
structure  on  principals  to  express  limited  delegation  in  a  simple  manner  [65].  A  salient 
observation  is  that  in  a  limited  delegation  the  delegating  principal  retains  authority  over 
the  delegated  formula  -  in  the  example  above,  even  if  k'  does  not  say  s,  k  may  directly 
assert  s. 

The  second  kind  of  delegation,  which  we  call  exclusive  delegation,  is  a  variant  of  limited 
delegation,  where  the  delegating  principal  itself  does  not  have  any  authority  over  the  formula 
it  delegates.  This  is  illustrated  by  formulas  (1)  and  (2)  in  Figure  3.1.  In  (1),  for  instance, 
principal  admin  delegates  authority  over  the  predicate  owns  k!  f  to  the  principal  system  but 
it  is  the  intent  of  the  policy  that  admin  itself  may  not  make  decisions  regarding  owns.  Such 
a  delegation  can  be  represented  in  BLg  using  a  formula  of  the  form  k  says  ((fc'  says  s')  D  s). 
For  this  encoding  to  work  correctly,  the  following  two  properties  must  hold: 

k  says  ((A/  says  s')  D  s)  and  k'  says  s'  should  imply  k  says  s 

k  says  ((/c'  says  s')  D  s)  and  k  says  s'  should  not  in  general  imply  k  says  s  2 

Both  these  properties  hold  in  BLg.  The  important  observation  here  is  that  in  the  presence 
of  (N)  and  (K),  the  first  property  is  equivalent  to  the  axiom  (I),  whereas  the  second  property 
imposes  a  limit  on  the  strength  of  logic.  Interestingly,  exclusive  delegation  is  very  common  in 
real  policies  as  the  case  study  of  access  control  on  classified  information  demonstrates  (§8), 
but  very  few  authorization  logics  and  logic-based  authorization  languages  can  express  it.  In 
particular,  any  logic  that  admits  the  axiom  ( k  says  s)  D  ( k  says  k!  says  s)  cannot  satisfy  the 
second  property.  (Observe  the  difference  between  this  axiom  and  (I)).  Many  logics  including 
the  logic  used  in  the  author’s  prior  work,  namely  the  GP  logic  [67],  as  well  as  other  logics 
that  treat  k  says  s  as  a  lax  modality  [5,  65]  admit  the  much  stronger  axiom  s  D  k'  says  s 
and,  therefore,  cannot  express  exclusive  delegation  in  a  reasonable  manner.  The  logic-based 
authorization  languages  Soutei  [118]  and  Binder  [52]  have  says  modalities  similar  to  that  of 
BLg  and  are  capable  of  expressing  exclusive  delegation  (see  §3.5.2  and  §3.6).  The  policy 
language  SecPAL  [23]  contains  a  special  syntactic  construct  k  says  k'  cansay  s  to  represent 
exclusive  delegations.  As  mentioned  in  the  beginning  of  this  chapter,  being  able  to  express 

2In  specific  cases,  this  may  be  inevitable.  For  example,  if  s'  D  s,  then  k  says  s'  implies  k  says  s  due  to 
axiom  (K). 
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exclusive  delegations  is  the  main  reason  that  this  thesis  uses  the  logic  BL  in  place  of  the 
GP  logic. 

In  the  third  type  of  delegation,  called  full  delegation  here,  complete  authority  is  delegated 
from  one  principal  to  another.  If  a  full  delegation  is  made  from  k  to  k' ,  then  k'  says  s  should 
entail  k  says  s  for  every  s.  This  is  a  second  order  property  that  cannot  be  expressed  in  a 
first-order  logic  without  a  specialized  construct.  The  preorder  k  >z  k'  in  BLg,  which  may 
be  internalized  as  a  formula  in  the  full  logic  BL,  can  be  used  to  express  full  delegation. 
Other  logics  in  the  past  have  considered  a  related  formula  called  “speaks  for”,  often  written 
k'  =>•  k,  with  similar  effects  [8,  65,  88].  In  authorization  logics  with  a  second  order  universal 
quantifier,  k!  =>■  k  can  be  encoded  as  Vs.  ((/V  says  s)  D  ( k  says  s))  [5,  65].  Full  delegation,  if 
used  indiscriminately,  can  have  dangerous  consequences  in  practice.  For  instance,  a  principal 
making  a  full  delegation  may  not  be  aware  of  all  predicates  that  exist  in  a  distributed 
system  and  may  inadvertently  give  away  authority  leading  to  potential  misuse.  Further, 
the  presence  of  full  delegation  makes  automatic  proof  search  much  more  difficult.  Owing 
to  these  considerations,  in  all  examples  in  this  thesis  that  use  full  delegation,  the  principal 
delegated  to  is  the  local  authority,  t  (§3.1). 

The  last  form  of  delegation  we  consider  is  bounded  delegation.  In  this  case,  the  prin¬ 
cipal  obtaining  authority  through  the  delegation  has  no  authority  to  delegate  further.  A 
generalization  allows  delegation  chains  of  fixed  depth.  Although  bounded  delegation  is  very 
useful  in  practice,  it  cannot  be  expressed  within  the  logic  if  the  enforcement  mechanism 
is  proof-carrying  authorization.  In  particular,  bounded  delegation  cannot  be  enforced  in 
PCFS.  This  limitation  is  the  consequence  of  two  fundamental  assumptions: 

-  Principals  are  unconstrained  in  policies  they  create  by  signing  certificates.  Conse¬ 
quently,  if  principal  k  is  delegated  control  over  s,  k  may  always  sub-delegate  the 
authority  to  k'  by  signing  k  says  (( k '  says  s)  D  s). 

-  Any  correct  proof  of  authorization  is  acceptable  for  access.  In  the  example  of  the 
previous  point,  a  proof  that  used  k1  s  certificate  would  be  accepted,  provided  it  were 
correct  otherwise. 

Of  course,  in  practice,  it  is  possible  to  enforce  bounded  delegation  by  either  restricting  what 
principals  may  sign,  e.g.,  not  allowing  k  to  sign  k  says  {{k'  says  s)  D  s)  in  the  first  point 
above,  or  by  restricting  the  class  of  acceptable  proofs,  e.g.,  disallowing  a  proof  that  contains 
A;’s  delegation  certificate.  However,  both  these  methods  lie  outside  the  proof  theory  of  the 
logic  itself,  and  are  orthogonal  to  the  concerns  of  this  thesis.  What  would  be  more  aligned 
to  the  approach  of  this  thesis  is  a  logic  that  tracks  (counts)  the  length  of  a  sequence  of 
delegations.  The  authorization  language  SecPAL  [23]  does  this  to  a  limited  extent. 

Dynamic  (changing)  policies.  As  mentioned  in  §1.3,  allowed  accesses  may  change  in 
several  different  ways.  Representing  and  enforcing  policies  that  change  over  time  is  quite 
difficult  in  logic-based  languages,  and  addressing  this  challenge  is  an  important  goal  of  both 
BL  and  PCFS.  Although  BLg  is  not  suitable  for  representing  policies  that  may  change,  the 
full  logic  BL  described  in  §4  allows  representation  of  authorizations  that  may  expire,  as 
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well  those  that  may  depend  on  system  state.  §9  goes  a  step  further  and  discusses  a  linear 
extension  to  BL  through  which  consumable  credentials  may  be  represented.  Comparisons  to 
other  logic-based  authorization  languages  with  similar  features  are  provided  in  the  respective 
chapters. 

Ordered  rules.  A  policy  idiom  commonly  found  in  traditional  system  configurations  is 
rule  precedence.  For  example,  a  .htaccess  file  defining  the  access  policy  to  web  pages  on 
an  Apache  web  server  may  have  the  following  entries. 

order  deny, allow 
allow  from  all 
deny  from  Mallory 

The  first  line  says  that  rules  denying  access  take  precedence  over  rules  that  allow  access. 
The  second  line  allows  access  to  everyone,  whereas  the  third  line  denies  access  to  the  user 
Mallory.  Since  the  denying  rule  gets  precedence,  the  net  effect  of  the  policy  is  that  all  users 
except  Mallory  have  access.  If  the  precedence  were  reversed,  all  users  including  Mallory 
would  have  access.  Rule  precedence  is  meaningful  only  if  the  policy  contains  both  allow 
and  deny  rules. 

Although  rule  precedences  similar  to  the  one  above  are  used  often  in  systems,  they 
are  extremely  difficult  to  encode  in  most  authorization  logics  including  BL5  and  BL.  The 
reason  is  that  in  most  logics  (except  those  that  are  non-monotonic),  if  an  authorization 
follows  from  a  set  of  policy  rules,  then  it  will  also  follow  from  any  extension  of  the  set. 
This  is  a  consequence  of  a  fundamental  proof-theoretic  property  called  weakening  (e.g., 
Theorem  3.3).  On  the  other  hand,  policies  with  rule  precedence  are  incompatible  with  this 
property.  For  instance,  in  the  above  policy,  the  first  two  rules  by  themselves  would  allow 
access  to  Mallory,  whereas  addition  of  the  third  rule  denies  her  access. 

Consequently,  representing  policies  with  rule  precedence  in  a  logic  requires  at  least  one 
of  the  following: 

-  The  logic  be  non-monotonic,  i.e.  it  not  satisfy  weakening. 

-  The  informal  rules  (e.g.,  from  the  file  above)  not  map  one-to-one  to  logical  formulas. 

Both  these  possibilities  are  feasible,  but  are  rather  antithetic  to  the  idea  of  distributed 
authorization.  Use  of  the  first  possibility  requires  that  the  reference  monitor  enforcing 
access  be  aware  of  all  policies  ever  created;  this  goes  against  the  basic  philosophy  of  proof¬ 
carrying  authorization  where  users  present  credentials  to  prove  that  they  have  access.  In 
limited  cases  this  may  be  acceptable,  as  we  do  for  consumable  credentials  in  §9,  but  having 
the  reference  monitor  be  aware  of  all  policy  rules  in  a  distributed  setting  may  be  infeasible. 
The  second  solution  makes  the  representation  of  the  policy  non-modular  -  as  more  denying 
rules  are  added,  prior  allowing  rules  must  be  modified  to  check  for  absence  of  conditions. 
For  instance,  even  though  we  may  encode  the  rules  listed  above  using  a  formula  of  the  form 
VA.  ((A  7^  Mallory)  D  (may_access  k)),  if  we  were  to  now  add  a  new  rule  “deny  Baddick”, 
we  would  have  to  modify  the  encoding  of  the  existing  rules  to  the  formula  \/k.  (((A;  7^ 


33 


Chapter  3.  BLg:  An  Authorization  Logic  for  Static  Policies 


Mallory)  A  (k  7^  Baddick))  D  (may_access  k)).  In  order  to  allow  for  the  possibility 
of  making  such  changes,  the  policy  must  again  be  centralized.  Consequently,  we  do  not 
attempt  to  encode  rule  precedence  anywhere  in  this  thesis.  Indeed,  we  are  unaware  of  any 
logic-based  solution  that  attempts  to  encode  policies  with  rule  precedence.  However,  there 
are  many  formalisms  outside  logic  that  allow  such  policies,  e.g.,  [14,  36,  83,  107]. 


3.2  Structural  Proof  Theory 

We  now  turn  to  the  centerpiece  of  this  chapter  -  structural  proof  theory  for  BLg.  By  struc¬ 
tural  proof  theory  we  mean  a  system  of  logical  inference  that  admits  the  so  called  “structural 
rules”  such  as  weakening  and  contraction  (Theorems  3.3  and  3.8).  More  specifically,  we  are 
interested  in  a  natural  deduction  system  and  a  sequent  calculus  for  BLg  (and  for  the  full 
logic  BL  in  §4).  The  natural  deduction  system  provides  a  syntax  for  proofs  that  are  used 
directly  in  enforcement  through  proof-carrying  authorization  (§5),  while  the  sequent  cal¬ 
culus  is  useful  for  many  other  practical  aspects  including  proof  search  (§6),  and  proving 
several  metatheorems  later  in  this  chapter.  More  significantly,  we  prove  several  metatheo¬ 
rems  about  the  natural  deduction  system  and  the  sequent  calculus  which  provide  assurance 
that  the  logic  itself  has  strong,  meaningful  foundations.  Such  an  assurance  is  of  great  im¬ 
portance  in  the  context  of  authorization,  where  a  poorly  designed  logic  may  easily  result 
in  inadvertent  consequences  and  accesses  that  were  not  intended  by  the  policy  authors. 
In  particular,  for  BLg  we  prove  admissibility  of  cut  for  the  sequent  calculus,  equivalence 
of  the  two  inference  systems  and  consistency.  Additionally,  theorems  showing  absence  of 
interference  among  statements  of  principals  can  be  established  easily  as  in  existing  work  on 
other  logics  [5,  67],  but  this  subject  is  not  explored  further  in  this  thesis. 

Historically,  both  the  natural  deduction  style  of  inference  and  the  sequent  calculus  were 
first  investigated  by  Gentzen  in  the  context  of  predicate  logic  [70].  The  specific  approach 
to  proof  theory  followed  here  is  based  on  Martin-Lof’s  judgmental  method  for  type  theory, 
where  a  distinction  is  made  between  formulas  and  judgments  [99].  The  presentation  of  the 
natural  deduction  system  is  draws  on  Pfenning  and  Davies’  work  on  constructive  S4  [115], 
whereas  the  presentation  of  the  sequent  calculus  is  inspired  by  prior  joint  on  multi-modal 
S4,  also  done  in  the  context  of  authorization  [66]. 


3.2.1  Natural  Deduction 

In  Martin-Lof’s  approach  to  type  theory  and  logic,  formulas  are  distinguished  from  judg¬ 
ments.  The  latter  are  the  objects  of  knowledge  that  may  be  established  through  proofs. 
Formulas  are  the  subjects  of  judgments.  For  BLg,  we  require  two  basic  judgments:  s  true, 
meaning  that  formula  s  is  true,  and  k  claims  s,  meaning  that  principal  k  states  or  claims 
that  formula  s  is  true.  The  two  basic  judgments  do  not  entail  each  other  in  general.  The 
judgment  k  claims  s  is  internalized  by  the  formula  k  says  s,  which  means  that  k  claims  s  is 
equivalent  (at  the  level  of  judgments)  to  (k  says  s )  true. 
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Hypothetical  judgments  and  views.  Reasoning  from  hypotheses  or  assumptions  is  a 
basic  tenet  of  logic.  For  propositional  intuitionistic  logic  the  hypothetical  judgment  takes 
the  form  T  h  s  true,  meaning  that  the  assumptions  in  T  entail  the  judgment  s  true.  In  the 
first-order  case,  a  generalization  of  the  form  E;  T  h  s  true  is  needed.  If  E  =  x\:a\, . . . ,  xn:an, 
then  S;H-  s  true  means  that  reasoning  under  the  assumptions  that  each  xt  stands  for  an 
arbitrary  term  of  sort  oy  there  is  a  proof  which  shows  that  hypotheses  T  entail  s  true. 

A  distinguishing  characteristic  of  BLg  is  that  hypothetical  reasoning  is  always  performed 
relative  to  the  claims  of  a  principal  k,  which  we  indicate  in  the  hypothetical  judgment  by 
writing  the  latter  as  E;T  \~k  s  true,  (s  true  is  often  abbreviated  to  s .)  Formally,  k  is  called 
the  view  of  the  hypothetical  judgment,  or  the  view  of  reasoning.  The  hypotheses,  as  usual, 
are  a  possibly  empty  multiset  of  basic  judgments: 


Basic  judgments  J 

Sorting  E 

Hypotheses  V 

Hypothetical  judgments 


s  true  I  k  claims  s 


ci\\G\ . . .  dn\<jn 


J\  •  •  •  Jn 

E;r  hfc  strue 


(n  >  0) 


Reasoning  in  BLg  is  guided  by  three  basic  principles.  The  first  principle,  called  the  view 
principle ,  describes  how  the  view  k  affects  reasoning. 

View  principle.  While  reasoning  in  view  ko,  the  assumption  k  claims  s 
entails  s  true  if  k  >z  ko. 

We  incorporate  this  principle  into  the  natural  deduction  system  by  the  following  rule  of 
inference. 

E  h  k  y  ko 

- ; —  claims 

E;  T,  k  claims  s  \~k°  s 

Based  on  the  view  principle,  we  may  define  the  meaning  of  the  hypothetical  judgment 
E;  T  \~k  s  precisely  as  follows: 

“If  E  =  x\\a\, . . .  ,xn:an,  then  under  the  assumptions  that  each  Xi  stands  for 
an  arbitrary  term  of  sort  ay,  and  that  claims  of  principals  stronger  than  k  are 
true,  there  is  a  proof  which  shows  that  T  logically  entail  that  s  is  true.” 

Although  this  choice  of  relativizing  hypothetical  judgments  to  claims  of  principals  is  non¬ 
standard,  it  seems  quite  useful  from  the  perspective  of  access  control,  where  an  authorization 
may  succeed  or  fail,  depending  on  what  policies  the  principal  making  the  decision  believes. 
(A  further  explanation  of  the  hypothetical  judgment  in  BLg  appears  in  §3.3.1  after  a  dis¬ 
cussion  of  metatheory.)  Another  point  to  note  is  that  in  the  above  definition  of  hypothetical 
judgments,  there  a  single  proof  which  is  parametric  in  x\, . . . ,  xn.  In  particular,  case  anal¬ 
ysis  of  possible  instances  of  the  variables  x\, ...  ,xn  is  not  an  admissible  proof  rule.  This  is 
manifest  in  Theorem  3.2. 

Our  second  guiding  principle,  called  the  substitution  principle ,  elaborates  the  meaning 
of  hypothesis.  It  states  that  a  hypothesis  s  true  used  in  a  proof  may  be  substituted  by 
an  actual  proof  of  the  hypothesis.  This  principle  occurs  in  a  similar  form  in  judgmental 
presentations  of  other  logics  also  (e.g.,  [39,  115]). 
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Substitution  principle.  E;  T  \~k  s  and  E;  T,  s  \~k  s'  imply  E;  T  \~k  s' 

Unlike  the  view  principle  which  is  incorporated  directly  as  a  rule  in  the  natural  deduction 
system,  the  substitution  principle,  together  with  the  next  principle,  is  established  as  a 
theorem  (Theorem  3.5). 

The  third  guiding  principle,  called  the  claim  principle ,  defines  the  relation  between  the 
judgments  k  claims  s  and  s  true.  Informally  it  states  that  k  claims  s  holds  if  we  can  establish 
s  true  in  the  view  k  from  only  the  claims  of  other  principals.  Formally,  we  define  an  operator 
r|  that  restricts  the  hypothesis  T  to  the  claims  of  principals. 

T|  =  {(A/  claims  s)  6  T} 

The  claim  principle  may  then  be  written  as  follows. 

Claim  principle.  E;  T|  s  and  E;T,  k  claims  s  \~k°  s'  imply  T  \~k°  s'. 

The  requirement  to  restrict  the  hypotheses  to  substitute  k  claims  s  is  similar  to  restrictions 
that  arise  for  substituting  valid  hypothesis  in  constructive  S4  [115],  and  unrestricted  as¬ 
sumptions  in  linear  logic  [39].  Indeed,  k  claims  s  is  closely  related  to  the  validity  judgment 
from  constructive  S4.  This  is  described  further  in  §3.4. 

Inference  rules.  The  inference  rules  of  the  natural  deduction  system  are  summarized  in 
Figure  3.2.  The  most  basic  inference  rule  is  (hyp).  It  means  that  if  s  true  is  a  hypothesis, 
then  s  must  be  true. 


E;  T, s  hk 


-hyp 

s 


The  rule  (claims)  captures  the  view  principle  as  described  earlier.  The  remaining  rules  are 
directed  by  the  connectives  of  BL5,  as  is  the  norm  in  a  natural  deduction  system.  For 
each  connective,  there  are  introduction  rules  (marked  I)  that  specify  how  a  proof  of  the 
connective  may  be  constructed  directly,  and  elimination  rules  (marked  E)  that  specify  how 
a  proof  of  the  connective  may  be  used.  In  the  following  we  describe  briefly  the  rules  for 
says. 

Since  (k  says  s)  true  internalizes,  and  hence  is  equivalent  to,  the  judgment  k  claims  s  the 
claim  principle  tells  us  that  (k  says  s)  true  may  be  established  if  we  can  establish  s  true  in 
view  k  using  only  claims  of  principals.  This  is  exactly  what  the  rule  (saysl)  captures: 

E;r|  hk  s 

- 7 - saysl 

E;T  hfc°  k  says  s 


The  equivalence  of  ( k  says  s)  true  and  k  claims  s  also  implies  that  we  may  use  (k  says  s)  true 
by  assuming  k  claims  s.  This  results  in  the  following  elimination  rule  (saysE): 


E;  T  hfc°  k  says  s  E;  T,  k  claims  s  hfc° 
E;T  hfc°  s' 


saysE 
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E;  r, s  hfc  s 
E;  r  bfe  s  E;r  hfc  s' 


E;  rPsA  s' 


hyp 


AI 


Eh  k>z  ko 


E;  r,  k  claims  s  hfe°  s 


claims 


E;  T  hfe  s  A  s' 
E;T  hfc  s 


AEi 


E;  T  hfc  s  A  s' 


E;T  hfc 


7 — AE2 


E;rh 


E;T  hfe  sVs' 


Vli 


E;  T  hfe  s' 
E;T  hfc  sVs' 


:  Vl2 


E;rhfcsvs'  E;r,shtes"  E;r,s' h 
E;  r  hfc  s" 


/  1  k  // 


-VE 


s;r,shfc  s’ 
E;  r  hfe  s  D  s' 


Dl 


E;rhfcsDs'  s;rh* 
E;  r  hfe  s' 


OE 


E;r  hK  t 


-TI 


E;  r  h  1 
s;r  \-k  s ' 


-_LE 


e,  x\g\  r  \-K 

E;  r  hfc  \/x\a.s 


-VI 


E;  r  hfc  s[t/x]  Eh  t :  a 


s;r|  h 


E;  r  hfe  3x:a.s 
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E;  T  hfc  \/x:a.s  Eh  t : 
E;  T  hfc  s[t/x\ 


-VE 


E;  r  hK°  k  says  s 


saysl 


E;  r  hfc  3a;:cr.s  E,  x:a;  T  hfc  s' 
E;  T  hfe  s' 

E;  r  hfc°  k  says  s  E;  T,  k  claims  s  hfe°  s' 


3E 


E;  T  hfe°  s' 


saysE 


Figure  3.2:  BLg:  Natural  deduction 

Rules  for  the  connectives  A,  V,  D,  T,  A,  V,  and  3  are  standard,  with  the  exception  that 
a  view  associated  with  each  hypothetical  judgment.  The  view  never  changes  in  the  rules 
for  any  of  these  connectives  and  we  elide  a  description  of  these  standard  rules.  For  any 
syntactic  entity  H,  ^[t/x]  denotes  the  standard  capture  avoiding  substitution  of  term  t  for 
the  variable  x  in  H.  In  the  rules  (VI)  and  (3E),  the  variable  x  can  occur  only  in  the  sub¬ 
derivation  above  the  premise  in  which  it  appears  in  the  sorting.  We  assume  that  implicit 
a-renaming  may  be  performed  in  quantifiers  to  force  this  to  be  the  case. 

3.2.2  Metatheory  of  Natural  Deduction 

Having  defined  the  natural  deduction  system  for  BL5,  we  now  seek  to  prove  general  prop¬ 
erties  of  deductions  in  it.  Such  properties  are  called  nretatheorenrs.  First,  we  prove  the 
following  instantiation  theorem,  which  means  that  instantiation  of  parameters  (variables 
in  the  domain  of  E)  preserves  provability  or,  more  succinctly,  that  a  proof  of  E;  T  s  is 
parametric  in  all  variables  in  the  domain  of  E. 

Theorem  3.2  (Instantiation).  E,x’:cr;r  \~k  s  and  Eh  t.  :  a  imply  E;T[t/a;]  h^*/^  s[t/x\ 
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Proof.  By  induction  on  the  derivation  of  \~k 

(O-weaken)  from  §3.1. 


s,  using  properties  (T-weaken)  and 


□ 


Next,  we  prove  that  the  structural  properties  of  weakening  and  contraction  are  admis¬ 
sible  in  natural  deduction. 

Theorem  3.3  (Weakening  and  contraction).  The  following  hold. 

1.  (Weakening)  £;T  \~k  s  implies  £;T,  J  s. 

2.  ( Contraction)  £;  P,  J,  J  \~k  s  implies  £;  T,  J  \~k  s. 

Further  the  derivation  in  the  consequent  of  each  statement  has  a  depth  no  more  than  that  of 
the  antecedent .3  (As  defined  in  Section  3.2.1 ,  J  denotes  an  arbitrary  judgment  of  the  form 
s  true  or  k  claims  s.) 

Proof.  In  each  case  by  induction  on  the  given  derivation.  □ 

Two  important  metatheorems  already  mentioned  in  §3.2.1  are  the  substitution  principle 
and  the  claim  principle.  Proving  these  properties  needs  another  important  metatheorem 
called  view  subsumption,  which  states  that  weaker  views  make  more  formulas  provable. 
Intuitively,  view  subsumption  may  be  justified  directly  from  the  definition  of  hypothetical 
judgments. 

Theorem  3.4  (View  subsumption).  £  h  k  V  k'  and  £;T  \~k  s  imply  £;T  s. 

Proof.  By  induction  on  the  derivation  of  £;T  s,  and  case  analysis  of  the  last  rule.  The 
only  two  interesting  cases  are  shown  below. 


Case.  - - - 7— 

£;  T,  k  claims  s  \~k  s 


£  h  k"  y  k 


claims 


1.  £  h  k"  y  k 

2.  £  h  k  y  k! 

3.  £  h  k"  y  k! 


(1,2;  y  is  a  preorder) 
(Rule  (claims)  on  3) 


(Premise) 

(Assumption) 


4.  £;  T,  k"  claims  s  \~k  s 


Here  s  =  k"  says  s'. 
1.  £;P|  hfc"  s' 


(Premise) 


liThe  depth  of  a  derivation  is  defined  as  the  maximum  number  of  inference  rules  on  a  path  in  the  derivation 
that  starts  from  its  conclusion  and  ends  at  a  leaf.  Rules  needed  to  establish  the  auxiliary  judgment  Sh(:a 
are  not  part  of  BLs’s  inference  system  and  do  not  count  towards  the  depth. 
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2.  E;fhfc'  k"  says  s' 


(Rule  (saysl)  on  1) 

n 


The  following  theorem  formally  states  that  both  the  substitution  and  claim  principles 
hold. 

Theorem  3.5  (Substitution  and  claim).  The  following  hold. 

1.  (Substitution)  E;  T  \~k  s  and  E;  T,  s  \~k  s'  imply  E;  T  \~k  s' . 

2.  ( Claim)  E;  T|  \~k  s  and  E;  T,  k  claims  s  \~k°  s'  imply  E;  T  \~k°  s' . 

Proof.  In  each  case  by  induction  on  the  second  given  derivation  and  case  analysis  of  the 
last  rule  in  it.  The  only  interesting  cases  are  the  following,  both  in  the  proof  of  (2). 


E  h  k  P  ko 

Case.  - — claims 

E;  T,  k  claims  s  \~k°  s 

To  show:  E;  T  \~k°  s 

1.  E;  T|  hfcs 

2.  E;rhfc  s 

3.  Tip  k  >z  ko 

4.  E;  T  hfc°  s 


Case. 


E;  (r,  k  claims  s)|  \~k  s' 

E;  T,  k  claims  s  \~k°  k’  says  s' 


—saysl 


To  show:  E;  T  Pk°  k' 


says  s 


1.  (T,  k  claims  s)|  =  T| ,  k  claims  s 

2.  E;  T|,  k  claims  s  \~k  s' 

3.  r|  =  (r|)| 

4.  E;  T |  Pk  s 

5.  E;  (T | ) |  \~k  s 

6.  E;  T|  Pk'  s' 

7.  E;rhfco  A;' says  s' 


(Assumption) 
(Weakening  from  Theorem  3.3  on  1) 

(Premise) 
(Theorem  3.4  on  2  and  3) 


(Defn.  of  - 1 ) 
(Premise  and  1) 
(Defn.  of  •  | ) 
(Assumption) 
(3,4) 
(i.h.  on  5,2) 
(Rule  (saysl)  on  6) 
□ 
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3.2.3  Sequent  Calculus 

Next  we  develop  a  sequent  calculus  for  BL5.  As  opposed  to  a  natural  deduction  system 
where  rules  modify  the  conclusion  of  the  hypothetical  judgment  (the  right  side  of  \~k),  in  a 
sequent  calculus  rules  operate  both  on  the  conclusion  and  the  hypotheses.  The  merit  of  a 
sequent  calculus  lies  in  the  properties  of  derivations  it  admits;  in  particular,  the  subformula 
property  (Theorem  3.12)  is  extremely  helpful  for  proving  theorems  later  in  this  chapter. 
When  compared  to  a  natural  deduction  system  or  an  axiomatic  system,  a  sequent  calculus 
is  also  more  amenable  to  automatic  proof  search,  a  fact  that  we  exploit  for  the  full  logic  BL 
in  §6.  Finally,  the  nretatheorenrs  of  the  sequent  calculus,  in  particular  the  admissibility  of 
cut  (Theorem  3.10)  provide  further  evidence  of  good  foundations  of  the  logic. 

As  for  the  natural  deduction  system  in  §3.2.1,  we  follow  the  judgmental  method.  In 
fact  the  structure  of  hypothetical  judgments  we  use  is  the  same  as  that  for  the  natural 

,  k 

deduction  system.  We  change  the  entailment  symbol  from  h  to  — >  to  distinguish  the  two 
systems  where  confusion  may  arise.  Hypothetical  judgments  in  the  sequent  calculus  are 
called  sequents. 

Sequent  ::=  S;T  s  true 

As  before,  k  is  called  the  view  of  the  sequent  and  we  abbreviate  the  judgment  s  true  to  s 
when  no  confusion  can  arise. 

The  rules  of  BLg’s  sequent  calculus  are  summarized  in  Figure  3.3.  Two  fundamental 
rules  (init)  and  (claims)  relate  the  different  judgments,  (init)  means  that  if  p  true  is  assumed, 
then  it  can  be  concluded,  p  must  be  an  atomic  formula.  It  is  shown  in  Theorem  3.11  that  a 
generalization  of  this  rule  to  arbitrary  formulas  is  admissible  in  the  sequent  calculus,  i.e.  for 
any  formula  s,  there  is  a  sequent  calculus  derivation  of  S;T,s  s.  It  should  be  observed 
that  (init)  is  the  only  rule  that  relates  the  hypotheses  of  a  sequent  to  its  conclusion.  All 
other  rules  operate  exclusively  either  on  the  hypotheses  or  on  the  conclusion,  (claims)  is 
the  sequent  calculus  equivalent  of  the  rule  of  same  name  in  the  natural  deduction  system 
(Figure  3.2).  However,  in  the  sequent  calculus,  the  rule  works  entirely  in  the  hypotheses  - 
the  judgment  s  true  derived  from  k  claims  s  is  introduced  as  an  assumption  in  the  premise, 
rather  than  a  conclusion  (as  was  the  case  in  the  natural  deduction  system). 

The  remaining  rules  of  the  sequent  calculus  are  directed  by  the  connectives  of  BL5.  For 
each  connective,  there  are  right  rules  (marked  R),  which  specify  how  the  connective  may  be 
decomposed  if  it  appears  at  the  top  level  in  the  conclusion  of  a  sequent,  and  there  are  left 
rules  (marked  L),  which  specify  how  the  connective  may  be  decomposed  in  the  hypotheses. 
The  right  rules  are  similar  to  introduction  rules  of  the  natural  deduction  system.  The  left 
rules  fulfill  the  purpose  of  the  elimination  rules  from  the  natural  deduction  system,  but  are 
not  similar  to  them,  since  the  former  decompose  connectives  in  the  hypotheses  instead  of 
conclusions.  However,  as  Theorem  3.13  shows,  the  two  formulations  are  equivalent  in  terms 
of  provability. 

4Strictly  speaking,  in  a  sequent  calculus  the  judgment  s  true  in  the  hypotheses  should  be  distinguished 
from  that  in  conclusions.  However,  this  distinction  is  always  evident  from  the  position  of  the  judgment  in  a 
sequent,  so  we  use  the  name  true  for  both. 
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E;L  ,p^p 


-init 


E  h  k  y  E;  r,  k  claims  s,  s  — L  r 


S;  r,  fc  claims  s  r 


claims 


E;  T 


s;r 


E; r  -tsAs' 


-AR 


E;T,  sAs',s,  s'  — >  r 
E;  r,  s  A  s'  i  r 


AL 


E;  T 


E;  T  — >  s  V  s' 


-VRi 


E;  T  -V  T 


E;ris' 

E;  T  4  a  V  s' 
—  TR 


-VR2 


E;T,s  s' 

s;rios' 


D  R 


E;  r,  s  V  s' ,  s  r  S;  T,  s  V  s',  s'  ^  r 
E;r,sVs'ir 


E;  T,  s  D  s' 


- —  ±L 

E;  T,  A  -A  r 

E;  T,  s  D  s',  s'  t 


E;  T,  s  D  s' 


dl 


VL 


E,  x:er;  T  —>  s 
S;riVi:(T.s 


VR 


E;  r,  \/x:a.s,  s[t/x]  -A  r  E  h  t  :  a 
E;  r,  \/x:a.s  —>  r 


VL 


S;  r  — >  s[t/x]  E  h  t  :  er 
E;  r  —>  3*:(T.s 


3R 


E,  axu;  r,  3x:a.t 


E;  r,  3ax<r.s  — >  r 


-3L 


E;  r| 


E;  r  — L  k  says  s 


-saysR 


E;  r,  k  says  s,  k  claims  s  r 
E;  r,  k  says  s  r 


saysL 


Figure  3.3:  BLg:  Cut-free  sequent  calculus 


The  rules  for  the  connectives  A,  V,  D,  T,  _L,  V,  and  3  are  standard,  and  we  do  not 
describe  them  here.  Rule  (saysR)  is  identical  to  (saysl),  except  for  the  difference  in  the 
entailment  symbol.  Rule  (saysL)  allows  decomposition  of  (k  says  s )  true  in  the  hypotheses 
by  introducing  the  equivalent  equivalent  judgment  k  claims  s  as  an  additional  assumption. 
In  the  rules  (VR)  and  (3L),  the  variable  x  can  occur  only  in  the  sub-derivation  above  the 
premise  in  which  it  appears  in  the  sorting. 

Example  3.6.  We  revisit  Example  3.1,  showing  how  the  authorization  admin  says  (may  Bob 

secret.txt  read)  may  be  derived  from  the  policy  rules  and  credentials  (l)-(9)  in  Figure  3.1. 

k 

Let  the  set  of  formulas  (1)— (9)  be  denoted  by  T.  What  we  seek  to  show  is  that  E;T  — > 
admin  says  (may  Bob  secret.txt  read),  where  E  defines  the  sorts  of  known  constants  like  Bob, 
secret.txt,  etc.  and  k  is  arbitrary.  We  construct  a  sequent  calculus  proof  working  backwards 
from  this  required  sequent. 

First,  using  the  rule  (saysL)  from  Figure  3.3  several  times,  we  observe  that  it  suffices  to 
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show  instead  that 

(3.7)  E;  r'  i  admin  says  (may  Bob  secret.txt  read) 

where  T7  is  obtained  from  T  by  replacing  all  top-level  says  with  claims.  Abusing  notation 
slightly,  we  refer  to  the  formulas  in  P7  with  the  same  numbers  as  the  original  formulas  in 
T.  Next,  using  the  rule  (saysR)  it  suffices  to  show  that  E :  P7 1  adrTim>  may  Bob  secret.txt  read. 
Since  r7|  =  T7,  it  is  enough  to  prove  that 

(3.8)  E;  r7  a-dmln>  may  Bob  secret.txt  read 
Using  the  rule  (claims)  on  hypothesis  (1),  it  suffices  to  prove 

(3.9)  E;r7,ri  admln>  may  Bob  secret.txt  read 
where 


r\  =  \/k,k',f.  (((hasLevelForFile  k  f)  A  (system  says  (owns  k 7  /)) A 
( k 7  says  (may  k  f  read)))  D  may  k  /  read) 

Using  rule  (VL)  on  r\  thrice  to  instantiate  the  universal  quantifiers,  followed  by  (dL)  to 
decompose  the  implication  in  r  1  and  (AR)  to  decompose  the  conjunctions,  we  observe  that 
it  suffices  to  show  each  of  the  following. 

(3.10)  E;r7,ri  admln >  hasLevelForFile  Bob  secret.txt 

(3.11)  E;r7,ri  admln >  system  says  (owns  Alice  secret.txt) 

(3.12)  E;r7,ri  admm>  Alice  says  (may  Bob  secret.txt  read) 

The  proof  of  (3.10)  follows  a  pattern  similar  to  the  above,  except  that  we  must  now  operate 
on  policy  rule  (2);  the  details  are  omitted  here  since  they  provide  no  new  insight.  Proofs 
of  (3.11)  and  (3.12)  are  similar  to  each  other.  As  an  illustration,  we  show  how  (3.12)  is 
established.  Using  the  rule  (saysR)  and  observing  that  (T7,  r*i )  |  =  T7,  it  suffices  to  show  that 

(3.13)  E;  r7  -ll-e>  may  Bob  secret.txt  read 


Next,  we  apply  the  rule  (claims)  to  policy  rule  (9),  reducing  the  problem  to  that  of  proving 


(3.14) 


s;r7, 


r  2 


Alice 

- >  may 


Bob  secret.txt  read 


where 


r2  =  may  Bob  secret.txt  read 

Since  r2  equals  the  conclusion  of  (3.14),  the  latter  follows  immediately  from  rule  (init)  and 
hence  this  branch  closes. 
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This  example  illustrates  the  general  pattern  of  deriving  authorizations  from  policies 
written  in  BL5.  The  key  observation  here  is  that  whenever  the  sequent  to  be  established 
has  a  conclusion  of  the  form  k  says  s,  e.g.,  (3.7)  and  (3.12)  above,  the  (saysR)  rule  can 
be  used  to  reduce  the  problem  to  that  of  showing  s  in  the  view  k.  The  new  view  k  is 
very  important  since  it  allows  application  of  the  (claims)  rule  to  promote  claims  of  k  to 
truth,  which  may  not  have  been  possible  in  earlier  views.  In  the  example  above,  we  use  the 
latter  step  to  introduce  the  assumptions  rq  and  r2  in  (3.9)  and  (3.14)  respectively.  Truth 
assumptions  like  rq  and  rq  can  then  be  decomposed  using  left  rules.  This  may  result  in  new 
goals  as,  for  example,  happens  above  when  the  implication  in  rq  is  decomposed.  Due  to  the 
restriction  operator  T|,  (saysR)  also  removes  truth  assumptions  from  earlier  views,  e.g.,  r\ 
is  removed  in  (3.13)  when  the  view  changes  from  admin  to  Alice.  This  is  essential  because 
the  principal  in  the  new  view  may  not  believe  truths  from  an  earlier  view  -  rq,  for  example, 
was  stated  by  admin  and  Alice  may  not  trust  it. 


3.2.4  Metatheory  of  the  Sequent  Calculus 

Some  of  the  metatheorems  of  the  natural  deduction  system  have  corresponding  analogues  in 
the  sequent  calculus  as  well.  These  include  instantiation  (Theorem  3.2),  weakening  and  con¬ 
traction  (Theorem  3.3),  view  subsumption  (Theorem  3.4),  and  instantiation  (Theorem  3.2). 

Theorem  3.7  (Instantiation).  X,x:cr;r  s  and  Sh  t  :  a  imply  E;r[f/a;]  ^  ■  \  s\t/x] 

k 

Proof.  By  induction  on  the  derivation  of  Y>,x\cr,T  — >  s,  using  properties  (T-weaken)  and 
(O-weaken)  from  §3.1.  .□ 

Theorem  3.8  (Weakening  and  contraction).  The  following  hold. 

1.  (Weakening)  E;T  —>  s  implies  E;T,  J  —>  s. 

2.  ( Contraction)  E;  T,  J,  J  —>  s  implies  E;  T,  J  —>  s. 

Further  the  derivation  in  the  consequent  of  each  statement  has  a  depth  no  more  than 
that  of  the  antecedent. 


Proof.  In  each  case  by  induction  on  the  given  derivation.  □ 

k  k' 

Theorem  3.9  (View  subsumption).  E  h  k  V  k  and  E;T  — >  s  imply  E;  T  — >  s. 

k 

Proof.  By  induction  on  the  given  derivation  of  E;  T  — >  s.  □ 


An  extremely  important  theorem  in  the  sequent  calculus  is  admissibility  of  cut  [70], 
which  we  state  and  prove  below.  Superficially,  the  statement  of  the  theorem  is  similar  to 
the  substitution  and  claim  principles  from  natural  deduction  (Theorem  3.5).  However,  its 
implications  are  different.  In  particular,  admissibility  of  cut  in  a  sequent  calculus  can  be 
construed  as  a  proof-theoretic  statement  of  the  soundness  of  the  inference  system,  because 
together  with  the  identity  theorem  (Theorem  3.11),  it  implies  that  the  left  rules  and  right 
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rules  are  in  harmony  with  each  other.  A  precise  understanding  of  this  intuition  can  only  be 
obtained  by  working  through  the  details  of  the  proof  of  admissibility  of  cut.  Here,  it  suffices 
to  state  that  admissibility  of  cut  provides  a  very  strong  assurance  of  good  proof-theoretic 
foundations,  which  are  essential  for  an  authorization  logic  like  BL5.  A  second  use  of  the 
cut  theorem  is  in  proving  other  theorems.  For  instance  it  is  used  to  show  that  axiomatic 
and  natural  deduction  proofs  can  be  simulated  in  the  sequent  calculus  (Theorem  3.13). 

Theorem  3.10  (Admissibility  of  cut).  The  following  hold. 

1.  X;  T  s  and  X;  T,  s  r  imply  X;  T  r 

2.  X;  r|  —>  s  and  X;  T,  k  claims  s  r  imply  X;  T  r 

Proof.  By  simultaneous  lexicographic  induction,  first  on  the  size  of  the  cut  formula  s,  then 
on  the  order  (2)  >  (1)  on  the  inductive  hypotheses,  and  then  on  the  depths  of  the  two  given 
derivations.  This  follows  prior  work  for  intuitionistic  logic  [113]  and  linear  logic  [43].  Since 
the  proof  in  [113]  is  modular  in  the  connectives,  we  only  need  to  consider  new  cases  for  says 
and  claims.  For  the  benefit  of  the  uninitiated  reader  we  provide  some  details  of  the  proof, 
and  show  some  representative  cases. 

Let  the  letters  V  and  £  denote  the  first  and  second  given  derivations  in  each  case.  To 
prove  (1)  we  analyze  four  exhaustive  cases  separately:  (a)  where  £  ends  in  a  right  rule,  (b) 
where  £  ends  in  a  left  rule  but  the  cut  is  not  principal  (i.e.  s  is  not  the  subject  of  the  last 
rule  in  £),  (c)  where  T>  ends  in  a  left  rule,  and  (d)  where  £  ends  in  a  left  rule,  T>  ends  in  a 
right  rule  and  the  cut  is  principal  (i.e.  s  is  the  subject  of  the  last  rule  of  £.  Of  these  (a), 
(b),  and  (c)  are  straightforward.  We  show  here  one  new  case  in  (d),  namely  the  principal 
cut  of  the  says  connective. 


Case.  V  = 


x:ri 


X;T  says  s 


-saysR 


£  = 


X;  T,  k  says  s,  k  claims  s 


ko 


X;  T,  k  says  s 


kg 


-saysL 


k 

and  the  cut  judgment  is  k  says  s.  To  show:  X;T  — b  r. 


1.  X;  T,  k  claims  s 

2.  X:T  %  r 


ko 


(i.h.(l)  on  T>  and  premise  of  £) 
(i.h.(2)  of  premise  of  V  and  1) 


The  application  of  i.h.  in  the  first  step  is  justified  because  £  gets  smaller.  Even  though 
the  derivation  obtained  from  step  1  is  potentially  larger  than  £,  the  use  of  i.h.  in  the  second 
step  is  justified  because  the  cut  formula  s  is  smaller,  and  the  induction  is  lexicographic  first 
in  the  size  of  this  formula,  and  second  in  the  size  of  the  derivations. 

To  prove  (2)  we  case  analyze  the  last  rule  in  the  derivation  of  £,  distinguishing  principal 
and  non-principal  cuts  when  the  last  rule  is  a  left  rule.  The  only  two  interesting  cases  are 
shown  below. 

X  L  k  >z  ko  X;  T,  k  claims  s,  s  r 
Case.  £  =  - - - claims 

X;  T,  k  claims  s  r 

ko 

and  the  cut  judgment  is  k  claims  s.  To  show:  X;T  — b-  r. 
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ko 


1.  £;T,s 


2.  s:r 


3.  s:r  %  s 


4.  s:r  %  r 


(i.h.(2)  on  V  and  premise  of  £) 
(Weakening  from  Theorem  3.8  on  D) 
(Theorem  3.9  on  2) 
(i.h.(l)  on  3,1) 


The  use  of  the  i.h.  in  the  last  step  is  justified  because  of  the  assumed  order  (2)  >  (1) 
among  the  inductive  hypotheses. 


Case.  £  = 


S;  (T,  k  claims  s)|  s' 


-saysR 


S;  T,  k  claims  s  k'  says  s' 

k 

and  the  cut  judgment  is  k  claims  s.  To  show:  S;T  -4 L  k'  says  s'. 

1.  (T,  k  claims  s)|  =  T| ,  k  claims  s  (Defn.  of -|) 

(Premise  of  £  and  1) 
(Defn.  of  - 1 ) 


2.  £;  r| ,  k  claims  s  s' 


3.  (P|)|  =P| 

4.  S;(r|)|4s 


5.  S:r|  X.  s' 


6.  E;T  %  k'  says  s' 


(V  and  3) 
(i.h. (2)  on  4,2) 
(Rule  (saysR)  on  5) 


□ 

Another  meta-property  of  the  sequent  calculus  is  the  following  identity  theorem,  which 
generalizes  the  (init)  rule  from  atomic  formulas  p  to  arbitrary  formulas  s.  Like  admissibility 
of  cut,  the  identity  theorem  also  provides  confidence  that  the  left  and  right  rules  of  the 
sequent  calculus  fit  well  with  each  other. 

k 

Theorem  3.11  (Identity).  S;T,  s  — >  s  for  each  s. 

Proof.  By  induction  on  s.  □ 

The  last  metatheorem  about  the  sequent  calculus  that  we  prove  here  is  the  subformula 
property.  This  property  states  that  if  we  look  at  any  sequent  calculus  proof  of  —>  s, 
then  the  only  formulas  arising  in  this  proof  are  subformulas  of  formulas  already  present 
in  r,  s.  Intuitively,  this  property  holds  because  every  sequent  calculus  rule  when  read 
from  the  conclusion  to  premises  only  decomposes  formulas.  Hence,  proceeding  backwards, 
the  formulas  always  get  smaller.  Although  we  will  not  have  occasion  to  use  this  theorem 
directly,  the  idea  of  having  only  subformulas  is  used  implicitly  in  the  proofs  of  several  other 
theorems,  including  those  involving  translations  between  logics  later  in  this  chapter  (§3.5). 
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Formally,  we  define  the  subformula  relation  s  C  s'  as  the  least  relation  that  is  reflexive, 
transitive,  closed  under  applications  of  all  logical  connectives  (congruent),  and  includes  the 
following  relations. 

s  C  s  A  s'  s' CsAs'  sCsVs'  s'CsVs'  sCsDs/  s'  C  s  D  s' 

s[t/x\  C  \/x:a.s  s[t/x\  C  3x:a.s  s  C  k  says  s 

We  further  extend  the  relation  to  judgments  by  requiring  that  k  claims  s  C  A:  says  s  and 
sCi  claims  s,  and  taking  the  reflexive,  transitive,  and  congruence  closure  again. 

Theorem  3.12  (Subformula  property).  Suppose  the  sequent  E^T7  s'  appears  in  a  proof 
of  the  sequent  E;  T  i  s.  Then  for  each  judgment  Jl  in  r7,  s' ,  there  is  a  judgment  J  in  F,  s 
such  that  J'  C  J . 

k 

Proof.  By  induction  on  the  derivation  of  E;T  — >  s.  □ 

3.3  Equivalence  of  Proof  Systems 

We  have  presented  three  different  proof  systems  for  BL5:  an  axiomatic  system  in  §3.1.1,  a 
natural  deduction  system  in  §3.2.1,  and  a  sequent  calculus  in  §3.2.3.  Now  we  show  that, 
despite  their  vast  differences,  they  establish  the  same  judgments.  Formally,  we  show  that 
proofs  in  each  system  can  be  simulated  in  the  other  two.  In  order  to  represent  hypothetical 
judgments  in  the  axiomatic  system,  we  define  a  mapping  ~  from  judgments  and  hypotheses 
to  formulas. 

s  true  =  s 

k  claims  s  =  k  says  s 

d  1  -  •  •  •  ,  Jn  —  J\  A  ...  A  Jn 

Theorem  3.13  (Equivalence).  The  following  are  equivalent  for  any  E,  T,  k  and  s. 
k 

1.  E;T  — »  s  in  the  sequent  calculus. 

2.  E;T  \~k  s  in  the  natural  deduction  system. 

3.  E  \~t-i  k  says  (r  D  s )  in  the  axiomatic  system. 

Proof.  We  show  that  1  =>•  2  =>■  3  =>■  1. 

Proof  of  1  =>•  2.  To  show  that  every  sequent  calculus  proof  can  be  simulated  in  the 
natural  deduction  system  we  induct  on  proofs  of  E;T  ^  s  and  case  analyze  the  last  rule 
in  the  derivation.  This  is  fairly  standard,  and  we  show  here  only  the  new  cases  involving 
claims  and  says. 

E  b  k  P  ko  E;  T,  k  claims  s,  s  r 
Case.  - - - claims 

E;  T,  k  claims  s  — ^  r 
To  show:  E;  T,  k  claims  s  bfc°  r 
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1.  E;  T,  k  claims  s,  s  \~k°  r 

2.  S  h  fc  ^  f’o 

3.  E;  T,  k  claims  s  hfe°  s 

4.  E;  T,  k  claims  s  \~k°  r 

s;r|  4  a 

Case.  - - - saysR 

S;  r  —^4  k  says  s 

To  show:  E;  T  hk°  k  says  s 

1.  E;T|  hk  s 

2.  E;rhfco  k  says  s 

E;  r,  k  says  s,  k  claims  s  -^4  r 
Case.  - - - saysL 

E;  T,  fc  says  s  —^4  r 
To  show:  E;  T,  says  s  hfc°  r 

1.  E;  T,  k  says  s,  k  claims  s  hfc°  r 

2.  E;  T,  k  says  s  hfc°  k  says  s 

3.  E;  T,  k  says  s  \~k°  r 


(i.h.  on  premise) 
(Rule  (hyp)) 
(Rule  (saysE)  on  2,1) 


(i.h.  on  premise) 
(Rule  (saysl)  on  1) 


(i.h.  on  premise) 
(Premise) 
(Rule  (claims)  on  2) 
(Theorem  3.5  on  3,1) 


Proof  of  2  3.  Proving  that  the  natural  deduction  system  can  be  simulated  in  the 

axiomatic  system  requires  many  lemmas  about  the  latter.  These  details  and  the  proof  are 
covered  in  Appendix  A.  In  particular,  see  Lemma  A. 2. 


k 

Proof  of  3  =>  1.  First  we  prove  that  if  E  s,  then  for  every  fc,  E;  •  — >  s  by  showing 
that  every  axiom  and  rule  in  the  axiomatic  system  can  be  simulated  in  the  sequent  calculus. 
This  is  straightforward  but  requires  admissibility  of  cut  (Theorem  3.10)  as  well  as  identity 
(Theorem  3.11);  details  are  in  Appendix  A  (Lemma  A. 3). 

Next  we  complete  the  proof  assuming  this  fact.  Suppose  that  E  \-^  k  says  (T  D  s).  It 
follows  that  E;  •  — >  k  says  (r  D  s).  The  only  rule  that  can  be  used  to  derive  this  sequent  is 
(saysR).  Hence,  the  premise  of  the  rule,  i.e  E;  •  — >  T  D  s  must  also  hold.  Again,  the  only 

rule  that  can  be  used  to  derive  this  sequent  is  (aR).  From  the  premise  of  this  rule  we  get 
—  k  k  — 

E;  r  — >  s.  Now  observe  that  E;T  — >  T.  Using  Theorem  3.10  on  the  last  two  sequents  we 
k 

get  E;  T  — >  s  as  required.  □ 


47 


Chapter  3.  BLg:  An  Authorization  Logic  for  Static  Policies 


3.3.1  On  the  Nature  of  Hypothetical  Judgments  in  BLg 

According  to  Theorem  3.13,  the  hypothetical  judgment  £;  T  \~K  s  (and  the  sequent  S;  T  — >  s) 
is  equivalent  to  the  formula  k  says  (r  D  s )  in  the  axiomatic  system.  This  has  two  obvious 
consequences.  First,  the  natural  deduction  system  and  the  sequent  calculus  correspond  only 
to  a  fragment  of  the  axiomatic  system,  namely  the  one  consisting  of  formulas  that  begin 
with  k  says  •.  Second,  and  perhaps  more  significantly,  the  view  A;  of  a  hypothetical  judgment 
applies  to  the  entire  hypothetical  judgment,  not  just  the  conclusion. 

The  latter  means  that  hypothetical  reasoning  is  always  relativized  to  the  claims  of  the 
principal  in  the  view.  The  truth  of  a  formula  is  also  relative  to  the  view;  whenever  the  view 
changes  in  a  natural  deduction  or  sequent  calculus  proof  (in  the  rules  (saysl)  and  (saysR)), 
judgments  of  the  form  s  true  in  the  hypotheses  are  erased  by  the  operator  T|.  These  ideas 
were  illustrated  in  Example  3.6.  Whereas  this  relativization  of  truth  may  seem  unusual  for  a 
logic,  it  is  quite  useful  in  the  context  of  authorization.  Indeed,  in  practice,  an  authorization 
will  succeed  or  fail  based  solely  on  what  the  authorizer  can  be  convinced  of.  This  is  precisely 
the  case  in  BLg. 

There  is  also  an  extension  of  the  structural  proof  theory  of  BLg  that  contains  a  “pure” 
hypothetical  judgment  S;T  h  s.  All  rules  of  natural  deduction,  except  (claims),  are  allowed 
for  this  hypothetical  judgment.  Further,  the  new  hypothetical  judgment  in  the  extension 
corresponds  exactly  to  the  axiomatic  system.  Since  this  extension  is  not  useful  from  the 
perspective  of  authorization  we  do  not  pursue  it  in  detail  here. 


3.4  Relation  to  the  Modal  Logic  Constructive  S4 

Note:  This  section  assumes  basic  familiarity  with  modal  logic,  and  is  likely  to  be  relevant 
only  to  readers  familiar  with  it.  Uninterested  readers  may  skip  this  section  without  affecting 
readability  of  the  rest  of  this  thesis. 

Since  k  says  s  is  a  modality,  a  natural  question  to  ask  is  whether  BLg  is  related  to 
other  existing  modal  logics.  The  answer  to  this  question  is  affirmative:  BLg  is  very  closely 
connected  to  the  modal  logic  constructive  S4  (CS4)  [11,  29,  115].  The  latter  is  an  intuition- 
istic  version  of  the  modal  logic  S4  whose  semantics  and  proof  theory  have  been  explored 
extensively  in  the  past.  In  this  section,  we  establish  connections  between  the  propositional 
fragment  of  BLg  (i.e.  the  fragment  without  any  quantifiers)  and  the  fragment  of  CS4  without 
the  possibility  modality.  The  restriction  to  the  propositional  case  is  motivated  by  the  fact 
that  propositional  CS4  has  a  well-studied  proof  theory.  Precisely,  we  show  the  following. 

•  Propositional  BLg,  when  restricted  to  only  one  principal  (say  l)  reduces  to  CS4  with¬ 
out  the  possibility  modality  0-  In  particular,  in  this  case  the  modality  t  says  •  behaves 
exactly  like  □  in  CS4. 

•  The  translation  from  propositional  BLg  to  CS4  that  maps  k  says  s  to  □(<?£  D  s ) 
(where,  for  each  k ,  g k  is  a  distinguished  atomic  formula  in  CS4)  and  all  other  con¬ 
nectives  to  themselves  is  an  embedding,  i.e.  it  is  sound  and  complete  in  terms  of 
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provability.  This  shows  that  k  says  s  in  BLg  is  similar  in  nature  to  a  necessitation 
modality. 

Constructive  S4.  CS4  is  a  propositional  intuitionistic  (constructive)  modal  logic  with 
the  usual  modalities  of  necessitation  □  and  possibility  ()•  Here,  we  are  concerned  with  CS4 
without  0-  A  Hilbert  style  proof  system  for  this  logic  consists  of  any  axiomatization  of 
intuitionistic  propositional  logic,  and  the  following  rules  and  axioms  for  Cs  [11]. 


h  Cs 

(nec 

h  (C(s  D  s'))  D  ((Ds)  D  (Ds')) 

(K) 

h  (Ds)  D  CDs 

(4) 

h  (Ds)  D  s 

(T) 

A  natural  deduction  system  for  CS4  was  described  by  Pfenning  and  Davies  [115],  and  a 
sequent  calculus  for  a  generalization  with  indexed  modalities  and  linearity  appeared  in 
prior  work  [66].  Further,  Alechina  et  al.  have  studied  Kripke  and  categorical  semantics  of 
CS4  [11], 

BLg  as  a  generalization  of  CS4.  An  obvious  translation  from  CS4  to  BLg  is  to  map 
□s  to  £  says  s  and  all  other  connectives  to  themselves.  Remarkably,  this  simple  translation 
is  both  sound  and  complete.  Another  way  to  look  at  this  translation  is  to  say  that  in  the 
degenerate  case  where  there  is  only  one  principal  (say  £)  in  BLg,  the  sole  modality  £  says  s 
behaves  exactly  like  the  necessitation  modality  Cs  from  CS4.  In  fact,  in  this  degenerate 
case  the  natural  deduction  system  for  BLg  (Figure  3.2)  reduces  to  the  judgmental  natural 
deduction  system  for  CS4  developed  by  Pfenning  and  Davies  [115].  Similarly,  the  sequent 
calculus  (Figure  3.3)  reduces  to  a  corresponding  calculus  for  CS4  (e.g.,  [66]). 

Formally,  let  r  • n  be  the  translation  from  CS4  formulas  to  propositional  BLg  formulas 
that  maps  Cs  to  £  says  rsn  and  all  other  connectives  to  themselves.  Then  the  following 
theorem  shows  that  BLg  generalizes  propositional  CS4. 

Theorem  3.14.  In  the  special  case  where  there  is  only  one  principal  £  in  BLs,  the  following 
are  equivalent  for  any  CS4  formula  s. 

1.  P  s  in  CSf. 

2.  •;  •  \-e  rsn  in  the  natural  deduction  system  of  Figure  3.2. 

Proof.  This  result  follows  from  the  observation  that  if  there  is  only  principal  £,  then  the 
natural  deduction  system  of  BLg  in  Figure  3.2  reduces  to  the  natural  deduction  system  of 
CS4  [115].  This  is  because  with  only  one  principal,  views  are  irrelevant  and  the  (claims)  rule 
can  be  applied  at  all  times.  Hence,  the  judgment  £  claims  s  corresponds  to  the  judgment 
called  s  valid  in  [115].  Due  to  this  reduction  of  the  natural  deduction  system,  □  in  CS4 
behaves  exactly  like  £  says  •  in  this  restricted  BLg.  □ 
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Translation  from  propositional  BL5  to  CS4.  Next  we  consider  a  translation  from 
propositional  BL5  to  CS4.  For  each  principal  k  in  propositional  BL5,  let  gk  be  a  distin¬ 
guished  atomic  formula  in  CS4  that  does  not  appear  in  BL5.  The  following  translation  r-n 
maps  k  says  s  to  \P\(gk  A  rsn)  and  all  other  connectives  to  themselves. 


rp-l 

= 

V 

rs  A  sn 

=  rsn 

r 

L 

< 

rs  V 

=  rsn 

r 

L 

> 

rs  A  sn 

= 

r 

L 

n 

1  1  1 

= 

T 

r±n 

= 

_L 

rk  says  sn 

=  □  (gk  A  rsn 

The  important  part  of  the  translation  is  the  mapping  of  k  says  s  to  0(gk  A  rsn).  The 
formula  g^  on  the  left  of  the  implication  acts  as  a  “guard”  on  rsn,  and  recovers  the  effect  of 
the  view  associated  with  hypothetical  judgments  in  BLg:  rsn  can  be  obtained  from  g k  A  rsn 
only  if  gk  is  true.  By  design,  our  translation  ensures  that  gk  is  true  if  and  only  if  we  are 
reasoning  in  a  view  weaker  than  k. 

Define  the  set  of  formulas  O  =  {□(fl'fc  A  gy)  \  k!  A  k}.5  O  captures  the  preorder  A 
between  principals  as  implications  between  the  representations  of  principals  as  atomic  for¬ 
mulas.  The  following  theorem  states  the  correctness  property  for  the  translation.  (We  abuse 
notation  slightly  and  use  O  to  also  represent  the  formula  obtained  by  taking  the  conjunction 
of  all  formulas  in  the  set  O.) 

Theorem  3.15  (Correctness).  •;  •  \~k  s  in  BL$  if  and  only  if\~OD  (gk  A  rsn)  in  CSf. 

Proof.  Soundness  (“only  if”  direction)  follows  by  an  induction  on  proofs  in  BL5.  We  must 
generalize  the  induction  hypothesis  to  state  that  -jT  \~k  s  implies  P  O  A  ((rrn  A  gk)  A 
rsn).  Completeness  (“if”  direction)  follows  by  showing  that  CS4  sequent  calculus  proofs  of 
translated  formulas  can  be  simulated  in  BL^.  See  [64,  Theorem  5.9]  for  details.  □ 


3.5  Translations  from  the  GP  Logic  and  Soutei  to  BL^ 

In  this  section  we  explore  formal  connections  between  BL5  and  two  existing  logic-based 
authorization  formalisms,  namely  the  GP  logic  [67]  and  Soutei  [118].  We  prove  that  both 
frameworks  can  be  embedded  in  BL5  in  a  sound  and  complete  manner.  Hence,  any  au¬ 
thorization  policy  expressible  in  either  the  GP  logic  or  Soutei  is  also  expressible  in  BLg. 
Proofs  of  correctness  of  both  translations  make  extensive  use  of  the  sequent  calculus  theory 
of  BL5.  In  particular,  they  rely  on  the  subformula  property  (Theorem  3.12). 

3.5.1  Translation  from  the  GP  Logic 

The  GP  logic  was  first  described  in  joint  work  with  Pfenning  [67];  a  second-order  variant 
was  described  independently  by  Abadi  under  the  name  CDD  [5].  The  syntax  of  formulas  in 

5Since  we  are  considering  only  the  propositional  fragment  of  BLg,  all  principals  are  ground  terms  and, 
hence,  the  sorting  E  in  the  judgment  E  b  k  y  k'  is  irrelevant.  So  we  abbreviate  the  latter  to  k  >  k' . 
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the  GP  logic  is  the  same  as  that  in  BLg,  but  the  says  modality  is  interpreted  as  a  family  of 
lax  modalities  [28,  60]  indexed  by  principals.  The  logic  is  quite  expressive,  has  a  simple  and 
well  studied  proof  theory,  and  together  with  CDD  forms  the  basis  of  a  lot  of  subsequent 
research  [61,  65,  66,  85,  90,  139].  Interestingly,  it  can  be  embedded  into  BLg  simply  by 
prefixing  all  connectives  with  £  says  •.  This  translation  is  inspired  by  Godel’s  translation 
from  intuitionistic  logic  to  modal  S4,  where  a  □  is  put  before  each  connective  [74].  In  the 
following  we  describe  GP  logic  briefly  and  show  that  this  translation  to  BLg  is  a  logical 
embedding. 


GP  Logic.  Formulas  of  GP  logic  have  the  same  syntax  as  formulas  of  BLg.  For  simplicity, 
we  consider  here  the  fragment  that  was  presented  in  prior  work  [67] .  This  fragment  contains 
only  atomic  formulas,  D,  _L,  V,  and  says.  The  translation  presented  here  extends  to  other 
connectives  easily.  We  use  the  letters  A,  B ,  C  to  denote  formulas  in  GP  logic. 

A,  B,  C  ::=  p  \  A  D  B  |  _L  |  \/x:a.A  \  k  says  A 

The  modality  k  says  A  in  GP  logic  is  treated  as  a  monad.  It  is  defined  by  the  following 
axioms. 

P  A  D  (k  says  A)  (unit) 

L  ( k  says  (A  D  B ))  D  (( k  says  A)  D  k  says  B)  (K) 

h  ( k  says  k  says  A)  D  k  says  A  (C4) 

Unlike  BLg,  there  is  no  order  between  principals  in  GP  logic.  A  sequent  calculus  for  the 
logic  from  prior  work  [67]  is  reproduced  in  Figure  3.4.  The  basic  judgments  used  are  A  true 
(abbreviated  to  A)  and  k  affirms  A.  The  latter  is  internalized  by  the  connective  k  says  A. 
Sequents  have  the  form  —>7.  There  are  no  views.  The  hypotheses  T  are  a  multiset  of 
assumptions  of  the  form  A  true.  Conclusions  7  may  be  of  either  of  the  two  forms  A  true 
and  k  affirms  A.  For  details  of  the  sequent  calculus  we  refer  the  reader  to  prior  work. 
The  important  points  to  observe  are  that  all  left  rules  except  (saysL)  apply  to  all  possible 
conclusions,  whereas  in  the  rule  (saysL)  the  conclusion  must  have  the  form  k  affirms  B,  and 
this  k  must  match  the  k  in  the  principal  formula  k  says  A  on  the  left. 


Translation  from  the  GP  logic  to  BLg.  Let  pr  be  the  sort  of  principals  in  GP  logic. 
Assume  that  £  is  not  in  pr,  and  that  the  sort  of  principals  in  BLg,  principal,  contains  all 
principals  in  pr  and  l  (but  no  others).  Thus  pr  is  a  subsort  of  principal.  Further  assume  that 
unequal  principals  in  pr  are  not  related  to  each  other  in  the  preorder  y  in  BLg,  and  that 
the  sort  principal  does  not  appear  in  formulas  of  GP  logic. 

The  translation  r7P  from  formulas  and  sequents  of  GP  logic  to  those  of  BLg  is  defined 
in  Figure  3.5.  On  formulas  the  translation  adds  the  prefix  £  says  •  before  all  connectives 
of  the  except  for  the  top  most  connective.  On  sequents  the  translation  adds  the  prefix 
£  claims  •  to  all  hypotheses,  and  sets  the  view  and  conclusion  depending  on  the  conclusion 
of  the  GP  logic  sequent. 
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XiT. 


-init 


p  — >  p 


s;r 


x;r  ->  a 


k  affirms  A 


affirms 


X;T,A  B 
X;T  ->  A  D  B 


DR 


Y,;T,AdB->A  X;T,  A  D -B,R ->  7 

1 - - l - 'dL 

X;T,  A  D  B  ->  7 


s;r,± 


-XL 

7 


X,  x:a;  T  — *  A 

— - - - VR 

X;T  -»  Mx:o.A 


X;r,Vx:cr.A,  A[t/x\  ->  7 
X;  T,  Vx:a.A  — >  7 


X;  T  — >  k  affirms  A 
X;  T  — >  k  says  A 


saysR 


X;  T,  k  says  A,A—>k  affirms  B 
X;  T,  k  says  A  — >  k  affirms  B 


saysL 


Figure  3.4:  Sequent  calculus  for  GP  logic  (reproduced  from  [67]) 


Correctness  of  the  translation.  The  translation  r-n  is  sound  and  complete,  i.e.  a  se¬ 
quent  is  provable  in  GP  logic  if  and  only  if  its  translation  is  provable  in  BL5.  Soundness, 
the  “only  if”  direction  is  easy  to  establish  by  induction  on  sequent  calculus  proofs  in  GP 
logic. 

Theorem  3.16  (Soundness).  IfT,]T  —>7  in  GP  logic,  then  rX;r  — >  7-1  in  BLg. 

Proof.  By  induction  on  the  given  GP  logic  proof  of  X;T  — >  7.  See  Appendix  A  for  details 
(Theorem  A. 4).  □ 

The  converse  of  this  theorem,  completeness,  is  harder  to  prove.  First,  we  define  a 
translation  |s|  from  a  fragment  of  BL5  larger  than  the  image  of  r-n  back  to  GP  logic, 
such  that  |r-n|  is  the  identity  translation.  Then,  we  prove  that  whenever  a  sequent  is 
provable  in  BL5,  its  translation  under  |  •  |  is  provable  in  GP  logic.  This  immediately  implies 
completeness.  The  subformula  property  of  the  sequent  calculus  (Theorem  3.12)  is  implicitly 
used  in  this  proof.  It  ensures  that  proofs  of  sequents  in  the  domain  of  |  •  |  only  contain 
sequents  that  are  also  in  its  domain,  so  that  we  can  always  apply  the  induction  hypothesis. 
Although  this  style  of  proving  completeness  of  translations  has  been  used  in  the  past,  its 
details  are  specific  to  each  case,  so  we  discuss  them  here.  The  inverse  translation  |  -  |  is 
defined  in  Figure  3.6. 

Lemma  3.17  (Composition).  The  following  hold. 

1.  |rAn|  =  A 

2.  |rx;r  ->7n|  =  X;T  ->7 
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Formulas  A 


rpn 

rA  D  B n 
rTn 

rVx:cr.A~l 
rk  says  A"1 


Hypotheses  T 


P 

(£  says  rAn)  D  (£  says  rB~l ) 
A 

\/x:a.  £  says  rA~l 
k  says  £  says  rAn 


rAi  true,  ...,An  truen 


£  claims  rA\n, . . .  ,£  claims  rAr)_l 


Sequents 


rE;  T  — >  B  true”1  =  E;  T"1  4  true 

rE;  T  — >  k  affirms  B~*  =  E;  rrn  £  says  rL>n  true 


Figure  3.5:  Translation  from  GP  logic  to  BL5 


Proof.  By  induction  on  the  syntax  of  GP  logic.  □ 

Lemma  3.18  (Simulation).  Suppose  E  P  k  A  k'  implies  k  =  k'  for  every  k  and  k!  in  the 

k 

sort  pr.  Then,  whenever  E;T  — >  s  true  is  in  the  domain  of  |  •  |  and  provable  in  BLs,  it  is 
k 

the  case  that  |E;  P  — >  s  true  |  is  provable  in  GP  logic. 

k 

Proof.  By  induction  on  the  given  BL5  derivation  of  E;T  — >  s  true  and  case  analysis  of  its 
last  rule.  Since  the  translation  |  •  |  on  sequents  is  defined  based  on  whether  the  view  is  £  or 
not,  we  further  distinguish  cases  based  on  the  view.  Some  representative  cases  are  shown 
here.  We  frequently  use  the  structural  properties  of  weakening  and  contraction  for  the 
sequent  calculus  of  GP  logic.  These  can  be  proved  easily  by  induction  on  sequent  calculus 
derivations. 

Case.  - - — init  (k  /  £) 

s;r  ,p^p 

To  show:  E;  |T|,p  — >  k  affirms  p 

1.  E;|T|,p— 

2.  E;  |T|,p  — >  k  affirms  p 


(Rule  (init)) 
(Rule  (affirms)  on  1) 
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Formulas  s 

\p\ 


=  P 


|«i  a  S2I 

=  N  =>  M 

I-LI 

=  _L 

Vx:ct.s| 

=  Vx:cr.  s| 

\k  says  s| 

=  1 

\  k  says  s 

{  l»l 

Hypotheses  T 

|s  true 

=  | 

s  true 

\k  claims  s| 

=  1 

\  ( k  says 
s  true 

|  J\ , . .  ■ ,  Jn  | 

a  /  principal 

k 

k  =  l 


k  +  t 

k  =  e 


Sequents 


S;|r| 

S;|r| 


k  affirms  |s| 
Isl  true 


k  ^  i,  principal  0  £ 
k  =  £,  principal  0  £ 


|  £;  r  — >  s  true  |  = 

Figure  3.6:  Translation  from  a  fragment  of  BL5  to  GP  logic 


To  show:  £;  |T|,p  — >  p 

This  follows  directly  from  rule  (init). 

£  h  k  ko  £;  T,  k  claims  s,  s  r 
Case.  - - - claims  (ko  /  £) 

£;  T,  k  claims  s  —A  r 

Subcase,  k  =  l.  To  show:  £;  |T|,  |s|  — >  ko  affirms  |r| 

1.  £;  | T | ,  |s|,  |s|  — >  k0  affirms  |r|  (i.h.  on  premise) 

2.  £;  | T | ,  |s|  — >  k0  affirms  |r|  (Contraction  on  1) 

Subcase,  k  /  i.  To  show:  £;  |T|,  k  says  |s|  — >  ko  affirms  |r| 

By  assumption,  the  premise  £  h  k  >1  ko  implies  k  =  ko- 

1.  £;  \T\,k  says  |s|,  |s|  — >  ko  affirms  |r|  (i.h.  on  premise) 

2.  £;  |T|,fc  says  |s|  — >  ko  affirms  |r|  (Rule  (saysL)  on  1;  k  =  ko) 


54 


Chapter  3.  BL5:  An  Authorization  Logic  for  Static  Policies 


E  h  k  y  £  E;  T,  k  claims  -s,  s  r 

Case.  - - - claims 

E;  T,  k  claims  s  —>  r 

The  premise  E  h  k  A  i  forces  k  =  l.  Therefore,  we  must  show  that  E;  |T|,  |s|  — >  |r|. 

1.  E;  | T | ,  |s|,  |s|  — >  \r\  (i.h.  on  premise) 

2.  E;  | T | ,  |s|  — >  |r|  (Contraction  on  1) 


S;T|  s  ,  t  x 

Case.  - - - saysR  (ko  A  £) 

S;  T  k  says  s 

Subcase,  k  =  £.  To  show:  S;  |T|  — >  ko  affirms  |s 


1.  E;  (T  )|  — >  |s 

(i.h.  on  premise) 

2.  E;  T  — >  |s| 

(Weakening  on  1) 

3.  E;  T  — >  ko  affirms  |s 

(Rule  (affirms)  on  2) 

Subcase,  k  7^  £.  To  show:  E;  T  - 

->  k0  affirms  k  says  |s| 

1.  E;  (T  )  — >  k  affirms  |s| 

(i.h.  on  premise) 

2.  E;  T  — >  k  affirms  |s 

(Weakening  on  1) 

3.  E;  T  — >  k  says  |s| 

(Rule  (saysR)  on  2) 

4.  E;  T  — >  ko  affirms  k  says  s 

(Rule  (affirms)  on  3) 

E;  T  4  s 

Case.  - - - saysR 

E;  T  — >  k  says  s 

Subcase,  k  =  £.  To  show:  E;  T  - 

->  |s| 

1.  S;  |(T|)|  — >  |s| 

(i.h.  on  premise) 

2.  E;  T  — >  |s| 

(Weakening  on  1) 

Subcase,  k  7^  £.  To  show:  E;  T  - 

->  k  says  |s 

1.  E;  (T |)|  — >  k  affirms  |s| 

(i.h.  on  premise) 

2.  E;  T  — >  k  affirms  |s 

(Weakening  on  1) 

3.  E;  T  — >  k  says  |s| 

(Rule  (saysR)  on  2) 
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S;  r,  k  says  s,  k  claims  s  r  ,  ,  , 

Case.  - - - saysL  (ko  7^  £) 

E;  T,  k  says  s  — ^  r 

To  show:  E;  |T|,  |fc  says  s|  — >  &o  affirms  |r| 

1.  E;  | r | ,  |/c  says  s|,  | k  claims  s\  — >  ko  affirms  |r|  (i.h.  on  premise) 

(Contraction  on  1;  \k  says  s|  =  \k  claims  s|) 


(i.h.  on  premise) 
(Contraction  on  1;  | k  says  s|  =  | k  claims  s|) 

□ 

Theorem  3.19  (Completeness).  If  rE;T  — >  7n  is  provable  in  BLg,  then  E;T  — *  7  is 
provable  in  GP  logic. 

Proof.  Suppose  rE;r  — >  is  provable  in  BLg.  By  Lemma  3.18,  |rE;T  — *  7n|  is  provable 
in  GP  logic.  Using  Lemma  3.17,  |rE;T  — >  7n|  =  E;T  —>7.  Hence  E;T  — »  7  is  provable  in 
GP  logic.  □ 

3.5.2  Translation  from  Soutei 

Soutei  is  a  trust  management  system,  i.e.  a  framework  for  administering  and  enforcing 
authorization  policies  [118].  It  has  been  deployed  in  at  least  one  large  application,  namely  a 
publish-subscribe  service  on  the  web.  Soutei ’s  language  for  writing  authorization  policies  is 
declarative;  its  syntax  extends  the  syntax  of  Prolog  by  allowing  limited  use  of  the  connective 
k  says  s.  For  the  lack  of  a  better  name  we  call  this  language  SL.  The  semantics  of  SL 
are  defined  through  inference  rules  that  resemble  backchaining  rules  for  top  down  logic 
programming  (a  la  Prolog).  An  extremely  interesting  aspect  from  our  perspective  is  that 
the  says  connective  in  SL  behaves  similarly  to  the  says  modality  in  BLg  to  the  extent  that, 
with  the  exception  of  differences  in  syntax,  SL  is  a  fragment  of  BL5.  In  the  following 
we  describe  SL,  and  prove  that  it  can  be  embedded  in  BL5.  A  translation  is  needed  to 
account  for  the  differences  in  syntax.  Although  the  inference  system  of  SL  allows  the  same 
consequences  as  that  of  BL5,  the  two  differ  significantly  in  details.  As  a  result,  the  proof 
of  correctness  of  the  embedding  is  quite  involved. 


2.  E;  |r|,  | k  says  s|  — >  ko  affirms  |r| 


E;  r,  k  says  s,  k  claims  s  — >  r 
Case.  - - - - - saysL 

E;  T,  k  says  s  — ►  r 
To  show:  E;  |r|,  | k  says  s|  — >  |r| 

1.  E;  |r|,  | k  says  s|,  | k  claims  s|  — >  |r| 

2.  E;  |r|,  | A:  says  s|  — >  |r| 


56 


Chapter  3.  BL5:  An  Authorization  Logic  for  Static  Policies 


SL.  SL  is  based  on  Binder  [52],  another  declarative  language  for  writing  authorization 
policies.  Policy  statements  (called  clauses)  are  divided  into  disjoint  sets  called  assertions. 
Each  assertion  has  a  name,  which  is  analogous  to  a  principal  in  authorization  logics.  If 
ci, ...  ,cn  are  the  clauses  in  an  assertion  named  k,  then  the  whole  assertion  behaves  as  the 
hypothesis  k  says  c\, . . .  ,k  says  cn.  The  syntax  of  SL  is  shown  below.'1 


Principals  or  names  k 


Atomic  Formulas  p 

Goals  g 

Clauses  c 

Assertions  A 

Named  assertions  N 

Hypotheses  V 

Queries  q 


P  t\...tn 
p  |  k  says  p 

Vxi  ...xn.  (p  gi, . . . ,  gm) 
C\,  ■■■  ,  Cn 

k  :  A 

Ni , ... ,  Nm 

A  hr  5 


Policy  statements  are  represented  as  clauses  that  have  the  form  Vaq  . . .  xn.  (p  gi, . . . ,  gm ), 
where  p  is  an  atomic  formula  and  each  g j  is  either  an  atomic  formula  or  has  the  form 
k  says  p.  As  usual,  the  entire  clause  implies  that  for  any  grounding  substitution  0  with 
domain  x\ . . .  xn,  p0  holds  if  each  of  g\0, . . . ,  grn9  hold,  n  may  be  zero,  in  which  case  p6  is 
a  fact.  An  assertion  A  is  a  set  of  clauses.  A  named  assertion  is  a  pair  k  :  A  containing 
an  assertion  and  a  principal.  The  principal  is  a  name  for  the  assertion,  and  may  represent 
a  physical  domain  (such  as  a  computer  or  a  user)  inside  which  policies  contained  in  the 
assertion  hold.  The  set  of  all  named  assertions  is  called  the  hypotheses  T.  It  is  assumed 
implicitly  that  the  names  of  all  assertions  in  T  are  distinct.  Authorization  queries  are 
evaluated  relative  to  the  hypotheses  T  and  an  assertion  A  containing  clauses  which  are 
valid  at  the  point  of  evaluation.  As  evaluation  of  a  query  proceeds,  A  may  change,  but  V 
remains  fixed.  Evaluation  of  queries  is  goal  directed,  and  uses  the  following  two  rules: 

(Vxi .  ,.xn.  (p  gi, . . . ,gm ))  G  A  dom(6>)  D  x\  ...xn  (A  hr  9i#)ie{  i,...,m}bc 

A  hp  pd 


(k  :  A')  G  T  A'  hr  P 

- - - says 

A  hp  A:  says  p 

The  rule  (be)  means  that  p6  holds  if  there  is  a  clause  Vaq . . .  xn.  (p  :  -  g\ , . . . ,  gm)  in  the  valid 
assertion,  and  each  g,6  holds.  This  is  the  standard  backchaining  rule  for  logic  programs. 
The  rule  (says)  means  that  k  says  P  is  true  if  in  the  assertion  A  named  k,  p  is  true. 


Translation  from  SL  to  BL5.  Assume  that  BL5  contains  all  principals  in  SL,  each  of 
which  is  distinct  from  £.  Further  assume  that  unequal  principals  of  SL  are  not  related  to 
each  other  in  the  order  >p.  Since  SL  is  not  multi-sorted,  we  need  only  one  sort  in  BLg, 

6We  change  Soutei’s  original  notation  to  make  it  consistent  with  our  own  notation.  We  also  simplify  the 
evaluation  rules  slightly,  without  affecting  their  consequences. 
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Goals  g 


rp 

rk  says  p 


Clauses  c 


rVaq  ...xn.  {p  g\, . .  .,gm) 


Assertions  A 


n 

n 


n 


P 

k  says  p 


Vxi . . .  xn.  ((r5r  A  ...  A  rgm~] )  A  p) 


rci,  ■  •  •  ,cnn 


rcin, 


rCn 


n 


Named  assertions  N 


rk  :  ci,.. .  ,cnn 


k  claims  rcin, . . . ,  k  claims  rcn~l 


Hypotheses  T 


~N\ , ... ,  Nn 


rN  n 

)  iym 


Figure  3.7:  Translation  from  SL  to  BLg 


say  principal.  In  this  special  case,  S  h  t  :  principal  whenever  all  free  variables  of  t  are 
in  the  domain  of  £.  The  translation  r-n  from  SL  to  BLg  is  defined  in  Figure  3.7.  Since 
the  only  sort  is  principal,  we  omit  sort  annotations  from  universal  quantifiers,  abbreviating 
Vx:principal.s  to  Vx.s. 

It  is  noteworthy  that  the  translation  only  renames  some  connectives.  It  replaces  by  D, 
and  the  named  assertion  k  :  ci  ...  cn  by  k  claims  c±, . . .  ,k  claims  cn.  Owing  to  the  similarity 
in  the  behavior  of  says  in  Soutei  and  BLg,  this  simple  translation  is  sound  and  complete. 
This  is  formalized  by  the  following  theorem. 


Theorem  3.20  (Correctness).  Suppose  k  :  A  £  T.  Then,  A  hr  S'  'm  SL  if  and  only  if 
•;  rTn,  rAn  4  rc0  in  BLS. 


Proof.  The  “only  if”  direction  follows  by  a  simple  induction  on  derivations  in  Soutei.  The 
“if”  direction  is  much  harder  to  establish.  Our  proof  follows  an  approach  similar  to  that  of 
Theorem  3.19  and  relies  on  the  subformula  property.  The  inverse  translation,  however,  is 
more  involved.  Details  of  the  proof  in  both  direction  are  in  Appendix  A  (Theorem  A.  11).  □ 
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3.6  Horn  Fragment  and  Translation  to  First-Order  Logic 

As  the  final  technical  result  of  this  chapter  we  present  a  sound  and  complete  embedding  of 
a  reasonably  expressive  fragment  of  BLg  in  first-order  intuitionistic  logic.'  The  main  idea 
of  our  translation  is  to  eliminate  the  modality  k  says  s  by  pushing  the  principal  name  k  to 
the  predicates  in  s  as  an  extra  argument.  For  example,  we  translate  k  says  (P  t\ . . .  tn)  to 
(P  k  t\ . .  .tn).  Besides  the  fact  that  the  translation  makes  BLg  amenable  to  existing  tools 
for  first-order  logic  such  as  automatic  theorem  provers,  the  translation  is  also  relevant  for 
a  historic  reason  -  its  main  idea  has  been  used  in  the  past  to  both  define  and  implement 
other  declarative  policy  languages  with  the  says  modality.  For  example,  the  semantics 
of  Binder,  one  of  the  earliest  policy  languages  with  a  says  modality,  are  defined  using  a 
similar  translation  that  maps  Binder  policies  into  Datalog  programs  [52].  Similarly,  the 
policy  language  SecPAL  is  implemented  via  translation  to  Datalog,  again  using  a  related 
translation  to  embed  says  in  first-order  logic  [23].  What  the  results  of  this  section  show 
is  that  there  is  at  least  some  logical  justification  for  these  translations,  namely  that  for  a 
says  modality  that  behaves  like  the  one  in  BLg,  pushing  k  says  •  to  predicates  constitutes  a 
provability  preserving  embedding. 

We  make  two  important  observations.  First,  this  translation  does  not  work  for  all 
existing  authorization  logics  with  a  says  modality.  The  translation  is  not  sound  if  the  says 
modality  in  the  source  logic  is  too  strong,  e.g.,  as  in  the  GP  logic  (§3.5.1).  Similarly,  the 
translation  is  not  complete  if  the  says  modality  is  too  weak,  as  happens,  for  example,  with 
logics  in  early  work  [8,  88].  Therefore,  the  interpretation  of  says  should  neither  be  too 
weak  nor  too  strong  for  the  translation  to  be  sound  and  complete.  BLg  seems  to  achieve 
this  balance  well.  Second,  even  for  BLg,  the  use  of  connectives  must  be  restricted  in  source 
formulas  in  order  to  make  the  translation  complete.  More  precisely,  what  we  really  translate 
is  not  all  of  BLg  but  only  a  fragment  of  it.  This  fragment  is  quite  large  and  very  expressive. 
Indeed,  all  policies  encountered  by  the  author  so  far  that  can  be  expressed  in  BLg  can 
also  be  expressed  in  the  fragment,  and  the  image  of  the  translation  from  SL  (§3.5.2)  is 
also  contained  in  it.  The  main  restriction  in  the  fragment  is  that  D  and  V  are  not  allowed 
to  appear  as  top  level  connectives  in  conclusions  of  sequents,  whereas  3,  V,  and  T  are  not 
allowed  to  appear  at  the  top  level  in  hypotheses.  Further,  it  must  be  assumed  that  the  order 
y  between  principals  is  trivial,  i.e.  £  h  k  >z  k'  implies  k  =  k! .  The  fragment  resembles  a 
fragment  of  predicate  logic  called  the  Horn  fragment,  and  hence  we  call  it  the  Horn  fragment 
of  BLg.8  An  important  property  is  that  in  any  proof  of  a  sequent  in  the  Horn  fragment, 
the  sorting  £  and  the  hypotheses  F  never  change. 

Horn  fragment  of  BLg.  The  syntax  of  the  Horn  fragment  of  BLg  is  shown  below.  We 
divide  the  syntax  of  formulas  into  goals  g  and  clauses  d  (the  terms  goal  and  clause  are 
borrowed  from  logic  programming).  Hypotheses  are  restricted  to  the  forms  k  claims  d  and 

'We  drop  the  adjective  “intuitionistic”  when  referring  to  the  target  of  the  translation  since  the  image  of 
the  translation  lies  in  a  fragment  of  first-order  logic  on  which  intuitionistic  and  classical  provability  coincide. 
We  do  not  show  here  that  this  is  the  case,  since  this  observation  is  orthogonal  to  the  concerns  of  the 
translation.  Our  correctness  proof  is  based  on  an  intuitionistic  sequent  calculus. 

sThc  Horn  fragment  of  predicate  logic  is  the  fragment  that  is  used  in  Prolog. 
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d  true  (abbreviated  to  d).  The  two  forms  of  hypotheses  are  distinguished  using  different 
letters  A  and  S  respectively.  This  is  necessary  because  the  translations  of  the  two  types 
of  hypotheses  are  different.  In  addition  we  assume  that  distinct  principals  are  unrelated  to 
each  other  in  the  order  y  (so  y  is  the  diagonal  relationship);  in  particular,  l  is  assumed  to 
be  absent. 

Goals  g 

Clauses  d 

Claims  Hypotheses  A 

True  Hypotheses  S 

Sequents 

The  rules  of  inference  for  the  Horn  fragment  are  the  same  as  those  of  the  sequent  calculus 

k 

for  BLg  (Figure  3.3),  except  that  sequents  are  restricted  to  the  form  E;  A,  E  — »  g.  It  can 
be  checked  that  this  class  of  sequents  is  closed  in  the  following  sense:  all  sequents  occurring 
in  the  proof  of  a  sequent  in  the  class  also  lie  in  the  class. 

Translation  to  first-order  logic.  As  the  target  of  the  translation  we  consider  a  multi- 
sorted  first-order  intuitionistic  logic  having  the  same  sorts  as  BLg.  We  assume  that  for 
every  predicate  in  BLg,  there  is  a  predicate  of  the  same  name  in  first-order  logic  that  takes 
an  extra  argument  of  sort  principal.  As  a  convention,  we  make  this  the  first  argument  of  the 
predicate.  The  proof  theory  of  intuitionistic  first-order  logic  has  been  studied  extensively 
and  although  we  need  it  for  proving  the  translation  correct,  we  do  not  reiterate  it  here. 
Briefly,  a  sequent  calculus  for  the  logic  may  be  obtained  by  ignoring  rules  containing  says 
and  claims  in  Figure  3.3  and  additionally  dropping  all  views  from  sequents  (see  Figure  A.l 
in  Appendix  A  for  a  listing  of  the  rules  of  the  sequent  calculus) . 

Figure  3.8  describes  the  translation  [•]  from  the  Horn  fragment  to  first-order  logic.  An 
auxiliary  translation  [•]*,  indexed  by  a  principal  k  is  also  needed  to  translate  formulas  (goals 
and  clauses)  and  true  hypotheses  E.  Intuitively,  the  index  k  is  the  principal  in  the  nearest 
says  or  claims  outside  the  formula  being  translated.  The  central  “trick”  of  the  translation 
is  to  push  the  modality  k  says  •  down  to  atomic  formulas,  where  k  is  added  as  an  extra 
argument  to  the  predicate  symbols.  That  this  simple  idea  works  for  a  reasonably  large 
fragment  of  BLg  may  seem  surprising.  However,  as  mentioned  earlier,  the  idea  does  not 
extend  to  larger  fragments. 

k 

Theorem  3.21  (Correctness  of  Translation).  Let  E;A,E  — *  g  be  a  sequent  in  the  Horn 

l— .  k 

fragment  of  BLg  and  assume  that  for  each  d  G  E,  k  claims  d  G  A.  Then  S;  A,E  — >  g  is 
provable  in  BLg  if  and  only  if  its  translation  E;  [A],  [S]*,  — *  [g]*,  is  provable  in  first-order 
logic. 

Proof.  Soundness,  the  “only  if”  direction,  follows  by  a  straightforward  induction  on  the 

^  k 

proof  of  E;  A,  E  — >  g.  Completeness  follows  by  a  lexicographic  induction,  first  on  the  given 
derivation  of  E;  [A],  [E]*.  — >  [<7]*.  and  then  on  the  structure  of  g.  Details  of  the  proof  in 
both  directions  are  in  Appendix  A  (Theorem  A. 14).  JTJ 


=  p  |  k  says  g  \  g1  A  g-2  \  gi  V  g-2  |  T  |  _L  |  3x:a.g 
=  p  |  Vaxcr.d  |  g  D  d  |  T  |  d\  A  d^ 

=  k\  claims  d\, . . . ,  kn  claims  dn 
—  d\ , . . . ,  dn 
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Sequents 


[S;A,s4ffJ  =  E;  [A],  [%->[<?], 

Figure  3.8:  Translation  from  the  Horn  fragment  of  BLg  to  first-order  logic. 
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Example  3.22.  We  illustrate  the  translation  [[•]  on  the  policy  of  Examples  3.1  and  3.6. 
The  policy  in  Figure  3.1  does  not  lie  in  the  Horn  fragment  (because  clauses  cannot  contain 
says  at  the  top  level),  but  that  policy  can  be  transformed  to  an  equivalent  one  by  replacing 
all  top  level  says  with  claims.  This  slightly  modified  policy,  which  we  denoted  with  the 
symbol  E  in  Example  3.6,  is  in  the  syntax  of  claims  hypotheses  (A).  We  may  translate  the 
policy  using  the  translation  [•].  As  illustrations,  rules  (1)  and  (2)  when  translated  result  in 
the  following  formulas. 

,  .  \/k,k',f.  (((hasLevelForFile  admin  k  f)  A  (owns  system  k!  f) A 

'  (may  k'  k  f  read))  D  may  admin  k  f  read) 

.  .  Vk,f,l,l'.  (((levelFile  system  /  l)  A  (levelPrin  hr  k  l') A 
^  '  (below  admin  l  l'))  D  hasLevelForFile  admin  k  f ) 

Since  the  translation  does  not  account  for  the  relation  the  rules  (3)-(5)  from  Fig¬ 
ure  3.1  that  were  stated  by  l  must  be  replicated  for  every  principal  in  first-order  logic. 
For  instance,  instead  of  assuming  the  formula  below  t  secret  topsecret  (which  would  be  the 
translation  of  (4)),  we  need  to  assume  below  admin  secret  topsecret  to  draw  meaningful 
conclusions  from  the  translated  policy. 

Another  relevant  observation  is  that  although  Theorem  3.21  shows  that  translated  poli¬ 
cies  can  be  used  to  draw  the  same  authorizations  as  the  original  policies  in  BL5,  translated 
policies  are  not  very  convenient  for  direct  enforcement  in  distributed  settings.  The  reason 
is  that  it  is  not  obvious  from  either  (1’)  or  (2’)  that  they  correspond  to  rules  of  the  principal 
admin,  and  consequently,  it  is  also  unclear  how  they  may  be  established  to  a  reference  mon¬ 
itor.  On  the  other  hand,  the  corresponding  rules  (1)  and  (2)  from  Figure  3.1  make  explicit 
the  identity  of  the  principal  creating  them  (via  the  top  level  annotation  admin  says  •),  and 
make  it  obvious  that  both  (1)  and  (2)  should  be  established  through  certificates  signed  by 
admin.  Similarly,  if  first-order  logic  were  to  be  used  for  enforcement,  all  certificates  would 
have  to  be  represented  via  the  translation.  As  a  result,  the  translation  described  in  this 
section  is  largely  of  theoretical  interest.  It  can  used  in  practice  indirectly,  e.g.,  for  reducing 
the  problem  of  proof  search  in  BL^  to  that  of  proof  search  in  first-order  logic. 


A  formal  relation  between  Binder  and  Soutei.  The  creators  of  Soutei  empha¬ 
size  (without  proof)  [118,  Section  2]  that  Soutei  is  a  dialect  of  another  policy  language, 
Binder  [52].  Whereas  the  syntax  of  Soutei  is  a  restriction  of  the  syntax  of  Binder,  it  is  far 
from  obvious  that  their  seemingly  different  inference  systems  admit  the  same  authorizations 
from  syntactically  identical  policies.  As  explained  in  §3.5.2,  the  inference  system  of  Soutei 
resembles  a  backchaining  proof  system  from  logic  programming.  The  semantics  of  Binder 
policies,  on  the  other  hand,  are  defined  via  a  translation  to  first-order  logic  which  is  identical 
to  the  translation  described  above.  Consequently,  Theorems  3.20  and  3.21  together  show 
that  the  authorizations  derivable  from  policies  expressible  in  Soutei  are  the  same  in  Binder 
and  Soutei  (and  also  in  BLg).  Therefore,  Soutei  is  provably  a  fragment  of  Binder. 
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3.7  Related  Work 

We  close  this  chapter  with  a  discussion  of  some  of  the  vast  amount  of  work  on  other  au¬ 
thorization  logics,  logic-based  authorization  languages,  and  other  formalisms  for  expressing 
authorization  policies.  We  also  discuss  work  on  formal  analysis  of  policies  for  correctness 
and  problems,  a  topic  that  is  not  covered  in  this  thesis.  Related  work  on  constructs  in 
policy  formalisms  that  may  be  used  to  express  dynamic  policies  is  discussed  in  §4.7. 

3.7.1  Authorization  Logics 

The  ABLP  logic.  The  study  of  authorization  logics  was  initiated  in  the  work  of  Lampson 
and  others  [8,  88].  The  logic  proposed  in  these  papers,  called  the  ABLP  logic,  is  classical  and 
its  proof  system  is  axiomatic  (as  opposed  to  BL5  and  the  GP  logic  which  are  intuitionistic 
and  based  in  structural  proof  theory).  The  main  goal  of  the  ABLP  logic  was  to  formalize  and 
explain  authentication  and  authorization  in  distributed  systems;  the  logic  was  not  intended 
for  a  direct  implementation. 

The  ABLP  logic  introduced  the  modality  says  although  the  behavior  of  the  modality 
is  different  from  says  in  BLg  because  the  modality  satisfies  the  rule  (N)  and  axiom  (K) 
from  §3.1,  but  no  other  primitive  axioms.  As  a  result,  k  says  (( k '  says  s')  D  s)  and  k '  says  s' 
do  not  imply  k  says  s  in  the  logic,  which  makes  it  impossible  to  express  authorizations 
in  the  manner  considered  in  this  chapter.  The  logic  is  propositional,  but  it  contains  the 
speaksfor  connective  k\  =>■  k2  (see  the  discussion  of  full  delegation  in  §3.1.2).  As  discussed 
in  §3.1.2,  the  order  y  on  principals  in  BL5  can  be  used  to  fulfill  the  same  purpose  as 
speaksfor,  although  BL5  suffers  from  the  limitation  that  y  is  not  internalized  into  the 
syntax  of  formulas.  The  latter  restriction  is  removed  in  the  full  logic  BL  in  §4. 

Another  important  aspect  of  the  ABLP  logic,  also  not  present  in  BL5,  are  principals  with 
a  syntactic  structure  that  has  semantic  consequences.  For  example,  the  principal  A;  1  A  k2  has 
the  property  that  for  every  s,  (Aq  A&2)  says  s  is  logically  equivalent  to  (Aq  says  s)  A(A’2  says  s). 
Many  other  “connectives”  of  principals  besides  A  are  considered  in  the  ABLP  logic.  It  is 
argued,  mostly  informally,  that  such  structured  principals  can  be  used  to  represent  several 
policy  idioms  including  many  kinds  of  delegations,  groups,  and  roles  [8].  A  significant 
technical  result  of  the  work  relates  to  decidability  of  fragments  of  the  logic. 

The  logic  of  Appel  and  Felten.  In  their  seminal  work  on  proof-carrying  authorization 
(then  called  proof-carrying  authentication ),  Appel  and  Felten  introduced  a  higher-order 
authorization  logic  [13].  In  this  logic,  principals  are  treated  as  predicates  and  k  says  s  is 
defined  as  k(s)  (predicate  k  applied  to  formula  s).  The  deduction  system  contains  some 
common  inference  rules  of  higher-order  logic  and  some  specialized  rules  for  authorization 
specific  concerns.  Higher-order  predicates  make  the  logic  very  expressive;  indeed  the  au¬ 
thors  treat  the  logic  as  a  logical  framework  in  which  other  authorization  logics  may  be 
encoded.  However,  owing  to  the  higher-order  constructs,  even  proving  simple  properties 
like  consistency  is  extremely  difficult.  Further,  it  remains  unclear  why  a  higher-order  logic 
is  necessary  when  first-order  quantification  suffices  not  only  to  express  most  policy  idioms, 
but  also  as  the  basis  of  extremely  expressive  logical  frameworks  like  Twelf  [116].  This  logic 
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and  its  derivatives  form  the  basis  of  several  implementations  of  proof-carrying  authorization 
prior  to  this  work  [18,  20]. 

GP  logic  and  related  approaches.  As  discussed  in  §3.5.1,  the  GP  logic  was  developed 
jointly  by  the  author  and  Pfenning  [67].  The  says  connective  in  the  GP  logic  is  treated 
as  an  indexed  lax  modality  [28,  60].  The  paper  introduces  three  basic  ideas:  (a)  use  of 
intuitionistic  logic  as  opposed  to  classical  logic  for  expressing  authorization  policies,  (b) 
emphasis  on  structural  proof  theory  and  metatheory  for  authorization  logic,  and  (c)  use  of 
first-order  quantifiers  in  place  of  higher-order  quantifiers  as  in  the  work  of  Appel  and  Felten. 
(a)  and  (b)  are  foundationally  important  contributions.  They  were  discussed  in  §1.  (c), 
the  use  of  first-order  quantifiers,  was  already  “in  the  air”  at  the  time  that  the  GP  logic  was 
conceived  because  it  was  present  in  several  policy  languages  (described  below).  Through  a 
translation  from  the  GP  logic  to  BLg,  it  was  argued  in  §3.5.1  that  BL5  is  no  less  expressive 
than  the  GP  logic.  Further,  it  has  been  described  in  §3.1.2  that  it  is  difficult  to  express 
exclusive  delegation  in  the  GP  logic.  The  latter  motivated  the  switch  from  the  GP  logic  to 
BL  as  the  basis  of  this  thesis.  The  ideas  of  using  intuitionistic  connectives,  structural  proof 
theory,  and  first-order  quantifiers  as  foundations  for  authorization  carry  over  to  BL. 

In  independent  work,  Abadi  describes  a  logic  closely  related  to  the  GP  logic  [5] ,  derived 
as  a  special  case  of  the  dependency  core  calculus  (DCC)  [7].  DCC  treats  k  says  s  as  an 
indexed  lax  modality  (like  the  GP  logic),  but  it  allows  more.  For  example,  k  says  k!  says  s 
is  logically  equivalent  to  k!  says  k  says  s.  This  can  be  undesirable  in  many  scenarios.  A 
restricted  version  of  DCC,  called  CDD  is  very  similar  to  the  GP  logic  (in  particular  it  does 
not  admit  this  commutativity),  except  that  it  contains  second-order  quantification  in  place 
of  first-order  quantification.  While  this  makes  it  difficult  to  express  many  policies  that 
require  quantification  over  principals  and  objects,  it  does  allow  the  speaksfor  connective 
introduced  in  §3.1.2  to  be  defined  using  other  connectives. 

In  joint  work  with  Abadi,  we  consider  many  extensions  of  the  propositional  fragment  of 
the  GP  logic  (and  CDD)  under  the  name  ICL  [65].  In  particular,  structured  principals  from 
ABLP  logic  are  revisited,  and  their  semantics  are  precisely  defined.  Further,  the  nature  of 
the  indexed  lax  modalities  is  explained  by  translation  to  the  modal  logic  S4.  It  is  also  shown 
that  the  interpretation  of  k  =>■  k!  as  Vs.  (( k  says  s)  D  ( k '  says  s))  is  sound  and  complete  if 
certain  conditions  are  met. 

The  GP  logic  and  CDD  have  been  used  subsequently  in  many  other  places,  including 
languages  for  security  [15,  61,  85,  139],  several  extensions  including  those  containing  support 
for  explicit  time  and  consumable  credentials  [34,  54,  66],  an  extensible  authorization  frame¬ 
work  [90] ,  and  an  extended  logic  for  both  representing  authorization  policies  and  reasoning 
about  their  consequences  [55]. 

Other  work.  In  a  survey  of  the  use  of  logic  in  access  control,  Abadi  explores  connections 
between  logics  and  languages  for  writing  authorization  policies,  in  particular,  Binder  [4].  In 
this  context,  he  proposes  the  axiom  (I),  which  is  admissible  in  BL5.  More  recently,  Abadi 
has  studied  possible  axioms  for  authorization  logics  and  the  connections  between  them, 
both  in  classical  and  intuitionistic  settings  [6]. 
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3.7.2  Logic-based  Authorization  Languages 

Besides  authorization  logics,  there  are  several  languages  for  writing  authorization  policies 
and  determining  their  consequences  that  use  logical  syntax  and  logic-like  inference  rules.  In 
this  section  we  discuss  some  of  these  languages. 

Historically,  Binder  [52]  was  the  first  policy  language  to  support  distributed  policies. 
Its  syntax  extends  the  Horn  fragment  of  predicate  logic  with  a  says  modality,  and  its  se¬ 
mantics  (consequence  relation)  are  defined  by  a  translation  to  first-order  logic,  as  discussed 
in  §3.6.  The  overall  structure  of  policy  evaluation  is  similar  to  proof-carrying  authorization: 
principals  may  sign  arbitrary  policy  statements,  which  are  then  distributed  to  others.  Any 
principal  may  derive  authorizations  by  translating  all  policy  statements  it  has  into  first- 
order  logic  using  a  transformation  similar  to  that  in  §3.6  and  running  a  Datalog  engine  over 
the  translated  statements.  Soutei  is  another  policy  language  with  a  says  modality  [118]. 
What  is  interesting  about  Soutei  here  is  the  similarity  between  its  says  modality  and  that  of 
BLg  -  we  proved  in  §3.5.2  that  Soutei  is  a  fragment  of  BLg.  Soutei  is  also  closely  connected 
to,  and  a  fragment  of  Binder,  as  argued  in  §3.6. 

SecPAL  [23]  is  a  more  recent  language  for  writing  authorization  policies.  In  addition  to 
the  says  modality,  SecPAL  also  includes  support  for  exclusive  delegation  (via  a  construct 
written  k  says  k'  cans  ay  p)  as  well  as  limited  support  for  bounded  delegation  (a  delegation 
in  SecPAL  can  either  be  undelegatable  or  it  can  be  delegated  to  any  depth).  SecPAL  also 
supports  environmental  constraints  including  the  a  limited  form  of  explicit  time;  this  as¬ 
pect  is  discussed  in  greater  detail  in  §4.7.  SecPAL ’s  formal  semantics  are  based  on  logic-like 
inference  rules,  while  its  implementation  is  based  on  a  translation  to  Datalog.  It  is  shown 
formally  that  the  translation  respects  the  inference  rules.  Recently,  Dinesh  et  al.  [56]  have 
proposed  an  access  control  logic,  which  generalizes  the  cans  ay  construct  of  SecPAL  from 
atomic  to  arbitrary  formulas.  The  proof  system  of  the  logic  is  classical  and  axiomatic.  The 
language  DKAL  [76]  adds  directed  communication  to  SecPAL.  With  directed  communica¬ 
tion,  principals  may  make  statements  that  are  heard  only  by  intended  recipients.  DKAL 
combines  authorization  policies  and  logic-based  framework  for  reasoning  about  knowledge 
of  principals.  The  latter  is  also  the  subject  of  a  recent  paper  on  an  extension  of  the  GP 
logic  called  u-logic  [55]. 

The  policy  language  RT  [95]  combines  role  based  access  control  (RBAC)  with  trust 
management.  We  include  it  here  because  its  semantics  are  defined  through  a  translation  to 
an  extension  of  Datalog  with  constraint  domains  called  Constrained  Datalog  [94],  RT  has 
many  important  constructs  including  a  construct  to  encode  separation  of  duty  as  well  as  a 
thresholding  construct  that  allows  authorization  only  when  m  out  of  n  designated  principals 
approve.  The  latter  seem  to  be  difficult  to  express  in  authorization  logics  without  additional 
constraint  domains  due  to  exponential  blow-up  in  encoding  (See  §4.1.2  for  a  description  of 
how  thresholding  can  be  encoded  with  constraints  in  the  full  logic  BL).  Cassandra  [26]  is 
another  policy  language  based  on  RBAC  whose  semantics  are  also  defined  by  translation  to 
Datalog  with  constraints.  In  addition  to  roles,  Cassandra  also  has  support  for  representing 
physical  distribution  of  policies  on  different  sites.  Other  similar  languages  include  DL  whose 
semantics  are  defined  by  translation  to  logic  programs  [92],  and  SD3  which  is  a  very  simple 
extension  of  Datalog  with  a  certified  inference  engine  that  creates  and  checks  a  proof  of 
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inference  before  returning  the  result  [86]. 

3.7.3  Other  Policy  Formalisms 

There  are  also  many  other  formalisms  for  expressing  authorization  policies  and  reasoning 
from  them  that  are  not  based  in  logic.  Although  they  are  not  directly  connected  to  the 
work  of  this  thesis,  for  the  sake  of  completeness,  we  briefly  discuss  some  of  them  here. 

Trust  Management.  Trust  management  (TM)  is  a  general  term  for  describing  manage¬ 
ment  of  delegation  in  authorization  policies.  It  was  coined  by  Blaze  et  al.  [32]  who  introduced 
two  frameworks  for  enforcing  policies,  PolicyMaker  [33]  and  its  successor  KeyNote  [31].  The 
basic  construct  in  these  frameworks  is  delegation:  principals  delegate  authority  over  specific 
subjects  (predicates)  to  others  through  digitally  signed  certificates.  For  example,  Alice  may 
delegate  Bob  the  authority  to  make  decisions  about  access  to  e-mails. 

Although  designed  as  certificate  schemes  for  binding  names  and  keys  to  principals, 
the  Simple  Public  Key  Infrastructure  (SPKI)  [58]  and  X.509v3  [79]  also  allow  delegation 
of  authority  in  a  manner  similar  to  TM  frameworks.  SPKI  also  allows  limited  control 
over  delegating  delegated  authority  (bounded  delegation;  §3.1.2).  When  giving  Bob  some 
authority,  Alice  may  or  may  not  allow  Bob  to  further  delegate  the  authority.  SPKI  and 
KeyNote  also  allow  authority  to  be  delegated  jointly  to  groups  of  principals,  and  like  RT, 
also  support  thresholding.  The  latter  means  that  an  authorization  holds  if  at  least  m 
distinct  principals  out  of  n  specified  principals  state  that  it  does. 

Role  Based  Access  Control  (RBAC).  RBAC  [127]  is  a  generic  approach  to  access 
control  in  which  permissions  are  authorized  to  specific  roles,  and  principals  are  assigned 
membership  to  roles  based  on  need.  A  lot  of  work  has  been  done  in  the  area,  includ¬ 
ing  a  language  for  enforcing  RBAC  policies  [83],  and  several  proposals  for  administering 
RBAC  [93,  126,  135]. 

XACML.  XACML  [107]  is  an  XML  based  language  for  specifying  policies.  XACML  can 
express  attribute  based  authorization.  Because  XACML  policy  rules  may  explicitly  allow 
or  deny  access,  decisions  drawn  from  policies  may  be  inconclusive  in  some  cases. 

3.7.4  Policy  Analysis 

There  has  been  a  limited  amount  of  work  in  the  past  on  analyzing  formally  represented 
authorization  policies  for  desirable  and  undesirable  properties  and  checking  their  correctness 
against  intuitive  criteria.  Techniques  in  the  area  have  been  based  in  logic  as  well  as  other 
formal  methods. 

Proof-theoretic  approaches  to  analysis  of  authorization  policies  were  pioneered  in  joint 
work  of  the  author  and  Pfenning  [67].  That  work  describes  a  method  for  making  a  static 
approximation  of  an  authorization  policy  written  in  GP  logic  to  prove  that  the  addition 
of  certain  kinds  of  formulas  (credentials)  cannot  not  affect  the  consequences  drawn  from 
the  policy.  This  can  be  used  to  prove  that  the  policy  satisfies  some  intuitive  properties 
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regarding  what  control  specific  principals  have  over  specific  predicates.  It  is  also  proved 
that  a  priori,  the  logic  isolates  the  statements  of  principals.  This  is  called  non-interference. 
It  is  a  metatheorem  like  admissibility  of  cut.  A  similar  (in  fact  stronger)  theorem  can  be 
proved  for  BLg  easily.  Abadi  describes  a  related  but  different  notion  of  non-interference  for 
DCC  [5] .  Chaudhuri  et  al.  describe  a  Datalog-based  framework  for  modeling  and  analyzing 
the  consequences  of  access  control  systems  [42].  They  apply  their  method  to  the  access 
control  model  of  Windows  Vista  and  the  Asbestos  operating  system,  and  find  vulnerabilities 
in  the  former. 

Outside  of  logic,  there  has  been  work  on  analysis  of  RBAC  systems.  For  example, 
Li  and  Mitchell  describe  algorithms  for  analyzing  reachability  properties  for  states  of  an 
RBAC  system,  given  some  restrictions  on  how  the  policies  may  change  [96].  Schaad  and 
Moffett  [131]  present  a  specification  language  for  describing  conflict-free  role  based  systems. 
Sasturkar  et  al.  [129]  and  Stoller  et  al.  [135]  analyze  the  complexity  of  deciding  reachability 
of  states  in  RBAC  systems  with  administrators  (ARBAC). 
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Chapter  4 

BL:  An  Authorization  Logic  for 
Dynamic  Policies 


This  chapter  introduces  BL,  the  logic  used  in  PCFS,  discusses  its  proof  theory,  and  its 
metatheoretic  properties.  BL  is  an  extension  of  BLg  (§3);  from  the  latter  it  inherits  all 
connectives  of  first-order  intuitionistic  logic  and  the  modality  k  says  s.  In  addition,  BL 
supports  explicit  time,  predicates  that  represent  the  state  of  the  system  (called  interpreted 
predicates),  and  constraint  domains.  Using  these  constructs,  dynamic  policies  that  depend 
on  time  and  system  state  can  be  expressed  in  BL  (§1.3,  Motivation  2). 

Support  for  explicit  time  in  BL  is  manifest  in  the  modality  s  @  [111,112],  which  means 
that  s  is  always  true  during  the  time  interval  [111,112]  but  possibly  not  outside  of  it.  ui  and 
U2  both  denote  time  points,  encoded  as  integers  that  count  seconds  from  a  fixed  point  of 
reference.  This  modality  is  useful  for  representing  policies  that  expire  at  stipulated  points 
of  time,  as  well  as  those  that  use  time  relatively,  e.g.,  allowing  access  for  90  days  from  the 
happening  of  an  event,  s  @  [tti,  U2]  was  first  studied  in  joint  work  by  DeYoung,  the  author, 
and  Pfenning  [54]  in  the  context  of  a  different  logic  called  77.  77  logic  is  covered  in  detail  in 
DeYoung’s  undergraduate  thesis  [53].  It  is  an  extension  of  the  GP  logic  (§3.5.1)  in  much  the 
same  way  that  BL  is  an  extension  of  BL5.  The  proof-theoretic  treatment  of  s  @  [u  1 ,  U2]  in 
BL  is  largely  based  on  that  in  77,  with  the  exceptions  that  the  interaction  between  k  says  s 
and  explicit  time  in  BL  is  subtler  than  it  is  in  77,  and  that  there  is  also  a  new  interaction 
between  explicit  time  and  interpreted  predicates  in  BL,  which  is  absent  from  77  since  77  does 
not  include  interpreted  predicates.  From  the  perspective  of  modal  logics,  s  @  [7/1,772]  is  a 
hybrid  modality,  and  like  other  similar  modalities  it  interacts  with  all  connectives  of  the 
logic  and  changes  the  very  nature  of  logical  judgments  [35,  106,  122],  This  is  discussed  in 
detail  in  §4.2. 

Explicit  time  is  useful  for  determining  consequences  of  policies  in  practice  only  in  con¬ 
junction  with  methods  for  reasoning  about  inequality  between  time  points.  For  example,  if 
Alice  has  a  certificate  that  allows  her  a  certain  access  from  January  01,  2007  to  December 
31,  2010,  it  is  only  reasonable  that  she  be  able  to  derive  from  it  a  proof  that  allows  her 
access  on  August  12,  2009.  Constructing  such  a  proof  requires  the  ability  to  reason  that 
August  12,  2009  lies  between  January  01,  2007  and  December  31,  2010.  To  this  end,  BL 
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includes  special  formulas  called  constraints ,  one  particular  form  which  may  be  inequalities 
on  time  points,  u\  <  U2-  Constraints  differ  from  ordinary  predicates  in  that  they  are  not 
established  by  hypothesis;  instead  their  verification  relies  on  an  external  constraint  solver 
which  is  formally  embedded  in  the  logic  via  a  satisfaction  judgment  (=  c  (c  denotes  a  con¬ 
straint).  We  do  not  stipulate  the  rules  of  this  judgment  since,  by  design,  the  logic  is  agnostic 
to  the  solver  used  to  implement  constraints.  However,  the  metatheoretic  properties  of  BL 
are  contingent  upon  certain  assumptions  about  the  constraint  domain,  which  we  list  explic¬ 
itly  in  §4.2.1.  In  addition  to  representing  inequalities  between  time  points  constraints  can 
be  used  to  represent  the  relation  k  >z  k'  between  principals  in  BL5,  thus  eliminating  the 
need  to  fix  the  relation  statically  through  the  judgment  E  h  k  >z  k' .  The  proof-theoretic 
treatment  of  constraints  in  BL  is  based  on  similar  work  for  linear  logic  [84,  128]  which  was 
also  used  previously  in  rj  logic. 

Besides  explicit  time,  many  real  authorization  policies  use  the  state  of  the  system  as 
an  input.  The  state  may  represent  the  progress  of  a  workflow  or  a  protocol.  As  a  simple 
example,  the  authorization  policy  for  a  homework  directory  in  a  class  administration  system 
may  allow  read  and  write  access  for  the  teaching  assistants  while  the  homework  is  being 
prepared,  read  and  write  access  for  students  while  the  homework  may  be  submitted,  and 
read  access  for  teaching  assistants  after  submissions  are  closed.  A  simple  way  to  model  the 
different  stages  -  preparation,  submission,  and  post-submission  -  may  be  as  a  state  system; 
the  stage  may  be  written  by  the  instructor  as  an  attribute  (nreta-data)  on  the  homework 
directory,  and  the  access  policy  rules  may  be  contingent  upon  the  value  of  the  attribute.  To 
incorporate  such  elements  of  state  in  policy  rules,  BL  allows  interpreted  predicates,  whose 
truth  is  not  justified  by  the  logical  hypotheses,  but  by  an  external  solver  that  refers  to  the 
state  of  the  system.  In  the  case  of  our  example  here,  the  solver  would  check  the  value  of 
the  attribute  on  the  homework  directory. 

Constraints  and  interpreted  predicates  are  similar  to  each  other  because  both  may  be 
established  through  decision  procedures  external  to  the  logic.  They  are  different  because 
the  truth  of  interpreted  predicates  depends  on  the  state  of  the  system  and  may  change  with 
it,  whereas  the  truth  of  constraints  is  independent  of  system  state.  This  difference  also 
manifests  in  separate  treatments  of  constraints  and  interpreted  predicates  during  enforce¬ 
ment  of  policies  in  PCFS  (§5)  and,  hence,  we  maintain  a  syntactic  distinction  between  the 
two  in  BL  formulas.  The  proof  theory  of  BL  treats  constraints  and  interpreted  predicates 
similarly. 

The  emphasis  in  our  discussion  of  BL,  as  in  the  case  of  BLg,  is  on  structural  proof  theory, 
i.e.  a  natural  deduction  system  (§4.2.2)  and  a  sequent  calculus  (§4.2.4),  which  we  show  to  be 
equivalent  in  terms  of  provability  (§4.2.6).  We  prove  several  metatheoretic  properties  for  BL 
including  admissibility  of  cut.  The  importance  of  structural  proof  theory  and  nretatheory 
in  the  context  of  authorization  have  already  been  emphasized  in  §1.3  and  §3,  so  we  do  not 
reiterate  them  here.  However,  it  is  perhaps  useful  to  observe  that  besides  the  fact  that 
proof  theory  defines  the  meanings  of  policies  represented  in  BL,  proof-theoretic  techniques 
are  directly  implemented  in  the  proof  verifier  and  automatic  prover  for  PCFS  (§5  and  §6). 
We  do  not  consider  an  axiomatic  system  for  BL;  the  author  is  uncertain  if  there  even  is  a 
complete  axiomatization  of  the  logic. 
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An  important  aspect  of  structural  proof  theory  that  we  study  for  BL  is  proof  normal¬ 
ization  (§4.5):  we  show  that  every  natural  deduction  proof  can  be  transformed  to  one  in  a 
restricted  class  of  proofs  called  canonical  proofs.  Canonical  proofs  are  proofs  without  any 
/3-redexes.1  The  proof  of  this  normalization  result  uses  admissibility  of  cut  and  generalizes 
well  known  observations  about  the  similarity  of  cut-elimination  and  proof  normalization 
in  classical  and  intuitionistic  logic  [119,  120,  145].  It  is  more  directly  based  on  notes  on 
proof  theory  for  intuitionistic  logic  by  Pfenning  [114].  Another  interesting  aspect  of  BL 
covered  in  this  chapter  is  its  connection  to  BLg.  Although  BL’s  syntax  and  proof  systems 
generalize  those  of  BLg,  BL  is  not  a  conservative  extension  of  BLg.  In  particular,  axiom 
(C)  from  §3.1.1  is  not  admissible  in  BL.  In  §4.6  we  define  a  simple  translation  from  BLg 
to  BL  and  prove  it  sound  and  complete.  Finally,  this  chapter  discusses  how  BL  in  used  to 
represent  policies  and  establish  authorizations  in  PCFS  (§4.3). 

4.1  BL:  Syntax  and  Informal  Description 

BL  generalizes  intuitionistic  first-order  logic  with  the  connectives  k  says  s  and  s  @  [u\,  uf\ , 
constraints,  and  interpreted  predicates.  In  addition  to  the  sort  principal  already  present  in 
BLg,  BL  also  includes  an  additional  sort  time  that  includes  all  time  points,  whose  members 
are  denoted  by  the  letter  u.  A  ground  time  point  is  either  an  integer  that  represents  time 
in  seconds  elapsed  from  a  fixed  point  of  reference  (so  time  points  can  be  both  negative  and 
positive),  or  it  is  one  of  the  distinguished  constants  —00  and  +00  denoting  the  minimum 
and  maximum  possible  time  respectively. 

Atomic  formulas  in  BL  are  of  three  types:  (a)  Uninterpreted  atoms,  p,  which  are  ob¬ 
tained  by  applying  uninterpreted  predicates  P  to  terms,  (b)  Interpreted  atoms,  i,  which 
capture  the  state  of  the  system  in  the  logic,  and  (c)  Constraints,  c.  BL  does  not  stipulate 
any  specific  uninterpreted  or  interpreted  predicates,  but  it  requires  at  least  two  types  of 
constraints:  k\  P  k2,  which  represent  the  preorder  on  principals  introduced  in  §3.1,  and 
u\  <  112  that  capture  the  usual  ordering  on  integers  with  the  added  proviso  that  u  <  +00 
and  —00  <  u  for  every  u.  The  syntax  of  BL  formulas  is  summarized  in  Figure  4.1.  An 
interval  [111,112}  in  the  syntax  is  well- formed  only  if  u\  <  U2-  Well-formedness  of  formulas 
can  be  defined  through  inference  rules  as  in  prior  work  [54] ,  but  for  simplicity  we  omit  these 
details  from  the  presentation  here. 

4.1.1  Properties  of  Connectives  Explained  Informally 

Before  describing  proof  systems  for  BL,  we  explain  informally  how  explicit  time,  interpreted 
predicates,  and  constraints  interact  with  other  connectives  of  the  logic  and  with  each  other. 
The  objective  of  explaining  these  interactions  is  to  illustrate  the  meanings  of  the  new  con¬ 
structs  in  BL.  Interaction  of  the  modality  k  says  s  with  standard  connectives  of  first-order 
logic  was  explained  in  §3  in  the  context  of  BLg  and  carries  over  to  BL  rather  unchanged,  the 
only  exception  being  that  the  BLg  axiom  (C)  -  k  says  ((/c  says  s)  D  s)  —  is  not  admissible 

XA  /3-redex  is  any  locus  in  a  natural  deduction  proof  where  an  elimination  rule  is  applied  to  a  connective 
that  is  established  using  an  introduction  rule. 
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Sorts 

a 

Integers 

n 

Constants 

a 

Terms 

t,  k,  u 

Uninterpreted  predicates 

P 

Interpreted  predicates 

I 

Uninterpreted  atoms 

Pi  q 

Interpreted  atoms 

i 

Constraints 

c 

Formulas 

r,  s 

principal  |  time  |  ... 

...  |  -2  |  —  1  |  0  |  1  |  2  |  ... 

£  \  n  \  —  oo  |  +oo|  ... 

a  |  x  |  /(fi,  ...,tn) 

P  h  . . .  tn 

I  t\  . .  .tn 

Ui  <  U2  |  k\  P  k2  \  ••• 
p|i|c|rAs|rVs|rDs|T|_L| 
Vx:cr.s  |  3.x:(J.s  |  k  says  s  \  s  @  [111,112] 


Figure  4.1:  Syntax  of  BL  formulas 


in  BL.  The  latter  is  not  a  limitation  of  BL,  since  axiom  (C)  is  rarely,  if  ever,  needed  to 
draw  meaningful  consequences  from  policies.  It  was  included  in  BL5  primarily  to  make  the 
axiomatic  system  and  natural  deduction  equivalent  (Theorem  3.13).  An  analogue  of  axiom 
(C),  ( k  says  ((( k  says  s )  @  [u\,U2\)  D  s))  @  [111,112}  is  admissible  in  BL. 

Interaction  of  explicit  time  and  constraints  with  other  connectives.  The  BL 

modality  s  @  [i*i ,  1*2],  together  with  constraints,  interacts  with  all  other  connectives  in  a 
significant  manner.  Writing  si  =  S2  as  an  abbreviation  for  (si  D  S2)  A  («2  D  si),  and  h  s 
for  provability  without  hypotheses,  the  following  properties  hold.  A  formal  definition  of  h  s 
and  proofs  of  all  properties  listed  in  this  section  are  deferred  to  §4.2.4. 

1.  h  ((ui  <  u[)  A  (u2  <  u2 ))  D  ((s  @  [ui,U2])  D  {s  @  [u'^u^])) 

2.  h  ((si  A  s2)  @  [ui,u2])  =  ((si  @  [ui,u2])  A  (s2  @  [ui,u2])) 

3.  h  ((si  V  s2)  @  [111,112])  =  ((si  @  [ui,U2])  V  (s2  @  [ui,U2])) 

4.  h  ((\/x:a.s)  @  [i*i ,  1*2])  =  (Vx:<7.(s  @  [mi,M2]))  ( x  0  U\,U2) 

5.  L  ((3x:a.s)  @  [ui,u2])  =  (3x:a.(s  @  [ui,u2]))  (x#ui,u2) 

6.  h  T  @  [u\,  112] 

7.  h  (T  @  [ui,u2])  D  (s  @  [u'^u'2)) 

8.  There  is  no  interval  [ui,U2]  such  that  hl@  [111,112]- 

9.  h  ((si  D  S2)  @  [ui,U2])  =  (Vxi:time.Vx2:time.  (((ui  <  x\)  A  (X2  <  u2)  A  (si  @ 
[x\ ,  x2] ) )  D  (s2  @  [xi,x2]))) 

Property  (1)  means  that  if  s  holds  during  an  interval  [ui,u^,  then  it  also  holds  during 
any  subinterval  [u\ ,  u'2\  ■  The  constraints  ui  <  u\  and  u2  <  u2  imply  that  [u\ ,  u2]  C  [u\ ,  u2]. 
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Properties  (2)— (5)  mean  that  the  @  connective  commutes  with  the  connectives  A,  V,  V,  and 
EL  The  provability  of  the  formula  ((si  V  S2)  @  [tti,tt2])  D  ((si  @  [111,112})  V  (s2  @  [ui,U2])) 
entailed  by  property  (3)  may  be  surprising.  For  example,  if  si  holds  on  some  interval 
[ui,u\  and  S2  holds  on  another  interval  [u,  112],  then,  seemingly,  (si  V  S2)  @  [111,112]  should 
be  true  but  neither  of  si  @  [111,112]  and  S2  @  [ui,U2]  may  hold.  However,  in  BL,  we  do 
not  allow  an  analysis  of  intervals;  in  particular,  si  @  [ui,u]  and  s 2  @  [it,  1*2]  do  not  imply 
(si  V  S2)  @  [iti ,  it2] ,  so  the  previous  counterexample  does  not  work.  The  reasons  for  this 
choice  are  explained  in  §4.2.2. 

Truth  is  provable  a  priori  on  all  intervals  as  property  (6)  states.  Property  (7)  states  that 
if  falsehood  is  provable  on  any  interval,  then  every  formula  is  provable  on  every  interval.  This 
may  be  surprising,  particularly  because  a  similar  property  does  not  hold  for  says  -  it  is  not 
the  case  that  h  {k  says  _L)  D  [k'  says  s)  for  unrelated  k  and  k! .  However,  there  is  no  interval 
on  which  _L  is  provable  a  priori,  so  the  logic  is  consistent  (8).  Property  (9)  means  that  a 
proof  of  (si  D  S2)  @  [ui,  U2]  is  equivalent  to  having  a  proof  of  (sq  @  [x\,  X2])  D  (S2  @  [xi,  X2}) 
for  every  subinterval  [xi,X2\  of  [u\,u<^[.  This  property  is  a  consequence  of  the  intuitionistic 
nature  of  BL  and  the  hybrid  nature  of  @. 

Unlike  the  connectives  A,  V,  V,  and  3  which  commute  freely  with  @,  the  says  connective 
commutes  with  @  in  only  one  direction,  as  the  following  properties  show.  (1/  s  means  that 
there  is  at  least  one  instance  of  s  that  is  not  provable  a  priori.) 

10.  b  ((k  says  s)  @  [«i,  U2])  D  ( k  says  (s  @  [ixi,^])) 

11.  {/  (, k  says  ( s  @  [wi,  U2]))  D  ({k  says  s )  @  [111,112]) 

The  @  connective  has  a  trivial  interaction  with  itself  -  nested  @  connectives  can  be 
reduced  to  the  innermost  only. 

12.  h  ((s  @  [ui,u2])  @  K,  u'2})  =  (s@  [ui,u2]) 

Finally,  axiom  (S)  of  BL5  from  §3.1.1  can  be  generalized  in  BL  by  internalizing  the  side 
condition  S  h  k  >z  k!  as  a  constraint. 

13.  h  (k!  A  k)  D  (( k '  says  s)  D  (k  says  s)) 

Interaction  of  constraints  with  says  and  There  are  two  interactions  between  con¬ 
straints  and  says,  and  constraints  and  @  that  deserve  careful  scrutiny.  First,  c  D  {k  says  c) 
for  every  k  and  c,  which  means  that  every  true  constraint  is  supported  by  every  principal. 
This  supports  the  idea  that  there  is  a  unique  definition  of  constraint  satisfaction  on  which 
all  principals  agree.  This  may  not  be  case  for  other  formulas  since,  in  general,  it  is  not  the 
case  that  s  D  (k  says  s).  Further,  ( k  says  c)  does  not  imply  c.  This  prevents  principals  from 
changing  the  universal  meaning  of  constraints  simply  by  asserting  new  constraints. 

Second,  it  is  the  case  that  (c  @  [111,1x2])  =  (c  @  [a\ ,  ?4]).  This  a  consequence  of  the  fact 
that  the  truth  of  a  constraint  is  independent  of  time:  either  c  holds  on  all  intervals  or  it 
holds  on  none.  All  these  interactions  are  summarized  below. 

14.  h  c  D  ( k  says  c) 
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15.  \f  [k  says  c)  D  c 

16.  h  (c  @  [tii ,  ti2] )  =  (c  @ 


Interaction  of  interpreted  atoms  with  other  connectives.  The  interaction  of  inter¬ 
preted  atoms  with  most  connectives  of  BL  is  unremarkable;  they  behave  almost  like  their 
uninterpreted  counterparts.  However,  interpreted  atoms  interact  with  says  and  @  in  a  man¬ 
ner  that  is  similar  to  that  described  previously  for  constraints.  In  particular,  the  following 
properties  hold  in  BL. 

17.  hi  D  ( k  says  i ) 

18.  \f  ( k  says  i)  D  i 

19.  h  (i  @  [ui,U2\)  =  (i  @  [«i,*4]) 

Property  (17)  implies  (as  for  constraints)  that  all  principals  agree  on  a  single  definition 
of  interpreted  predicates,  which  should  be  intuitive  since  there  is  a  single  system  state  at  the 
point  of  policy  enforcement.  Property  (18)  prevents  principals  from  changing  this  unique 
interpretation  through  assertions. 

Property  (19)  is  counter-intuitive,  and  reflects  an  important  design  choice  not  only  in  BL 
but  also  in  PCFS.  The  apparent  problem  with  the  property  is  that,  in  practice,  the  truth 
of  interpreted  atoms  does  change  with  time  as  the  system  state  changes,  so  i  @  \ui,u?\ 
should  not  imply  i  @  [u\ ,  v!2]  for  arbitrary  intervals  and  [u\ ,  u'2\-  The  reason  that 

this  implication  holds  in  BL  is  that  interpreted  atoms  are  evaluated  in  a  fixed  system  state 
that  is  explicitly  assumed,  and  is  supposed  to  represent  the  state  prevailing  at  the  time  of 
access.  This  state  is  denoted  by  the  symbol  E  in  §4.2.  Consequently,  the  statement  “i  is 
true”  implicitly  means  that  “z  is  true  in  the  explicitly  assumed  state  E”,  and  is,  therefore, 
independent  of  time. 

The  ramification  of  this  design  choice  is  that  history  of  system  state  cannot  be  captured 
by  interpreted  atoms  and  explicit  time  in  an  intuitive  manner.  While  this  may  seem  limiting, 
it  is  necessitated  by  practical  concerns:  if  i  @  [ui ,  u?\  did  indeed  mean  that  i  were  true  during 
the  interval  [111,112],  then  any  proof  verifier  would  need  a  record  of  the  entire  history  (and 
possibly  future)  of  system  state  in  order  to  check  proofs.  This  is  clearly  impractical.  On  the 
other  hand,  limiting  system  state  to  one  point  in  time  does  not  really  reduce  expressiveness: 
if  some  access  control  policy  were  to  rely  on  a  predicate  over  system  state  having  been  true 
in  the  past,  this  can  still  be  represented  in  BL  by  requiring  that  there  be  explicit  evidence 
-  either  an  element  of  system  state  or  a  certificate  -  still  valid  at  the  time  of  access  that 
witnesses  this  fact.  Clearly,  requiring  such  persistent  evidence  is  no  harder  than  requiring 
the  reference  monitor  to  maintain  a  record  of  the  entire  history,  and  is  in  fact,  a  better 
design  choice  since  it  requires  the  policy  to  make  explicit  what  evidence  from  the  past  is 
necessary  to  verify  proofs. 
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4.1.2  Expressible  Policy  Idioms 

Using  explicit  time,  constraints,  and  interpreted  predicates,  several  new  policy  idioms  in 
addition  those  already  expressible  in  BL5  (§3.1.2)  become  expressible  in  BL.  This  section 
lists  some  of  these  idioms. 


Certificate  expiration.  The  simplest  use  of  explicit  time  is  to  accurately  represent  expi¬ 
ration  of  certificates  in  the  logic.  For  example,  if  Alice  signs  a  certificate  allowing  Bob  read 
access  to  file  secret.txt  from  February  01,  2009  to  February  28,  2009,  this  can  be  represented 
in  BL  as  the  formula  (Alice  says  (may  Bob  secret.txt  read))  @  [2009:02:01,2009:02:28]."’  The 
interaction  of  the  @  connective  with  constraints  in  BL  ensures  that  this  time  interval  is 
respected  during  enforcement. 


Anachronistic  references.  Explicit  time  can  also  be  used  to  represent  policies  that 
depend  on  facts  having  been  true  at  explicit  time  points  in  the  past.  This  often  happens 
in  policies  that  represent  a  change  of  scenario.  Suppose,  for  instance,  that  a  university  UV 
allows  its  alumni  to  continue  to  access  their  files  for  six  months  after  they  leave  UV.  This 
policy  can  be  expressed  using  a  combination  of  explicit  time  and  constraints  in  BL.  Let  the 
predicate  alumni  k  T  mean  that  k  became  an  alumni  at  time  T,  let  the  constraint  is  T  T' 
mean  that  T  and  T'  are  equal,  and  let  1804  denote  a  time  period  of  six  months.  Then,  UV 
may  represent  this  policy  as  follows. 

UV  says  Vfc,/,  T,  T' . 

(((alumni  k  T)  A  ((mayaccess  k  f)  @  [T,  T])  A  (is  T'  (T  +  1804))) 

D  ((mayaccess  k  f)  @  [ T,T' ])) 

This  policy  rule  states  that  if  k  became  an  alumni  at  time  T  and  k  could  access  file  /  at  time 
T,  then  k  may  access  file  /  during  the  interval  [T,  T  +  1804]  as  well.  The  constraint  is  T  T' 
and  the  arithmetic  operator  +  used  in  this  policy  rule  are  supported  in  the  implementation 
of  BL  in  PCFS  (see  §4.3). 


State  dependent  policies.  Access  is  sometimes  dependent  on  the  state  of  the  system, 
which  is  itself  not  modeled  in  the  policy  as  a  certificate.  This  can  happen  when  access 
rights  change  during  different  stages  of  a  workflow.  Such  policies  can  be  expressed  in  BL 
using  interpreted  predicates.  For  example,  in  PCFS,  files  go  through  two  states:  default 
and  governed.  A  newly  created  file  is  in  the  default  state,  and  in  this  state  the  owner  of 
the  file  has  all  access  to  the  file,  whereas  in  the  governed  state  other  applicable  policy  rules 
determine  access  to  the  file.  Let  the  interpreted  predicates  state  f  S  and  owner  /  k 
respectively  mean  that  file  /  is  in  state  S,  and  that  the  owner  of  file  /  is  principal  k.  Then, 

2In  Section  4.3  we  describe  the  representation  of  digital  certificates  using  basic  judgments  of  BL  instead 
of  formulas.  Although  logically  equivalent,  that  representation  is  slightly  simpler  and  closer  to  the  actual 
implementation  of  BL  in  PCFS. 
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the  access  policy  for  the  default  state  may  be  expressed  using  the  following  formula.3 

admin  says  \/k,  f.  (((state  /  default)  A  (owner  f  k))  D  (mayaccess  k  /)) 

Other  examples  of  policies  that  depend  on  state,  and  in  particular  on  attributes  of  files  may 
be  found  in  §4.3.3  and  §8. 

Thresholding.  It  was  mentioned  in  §3.7  that  it  is  difficult  to  express  without  constraints 
policies  that  allow  access  only  when  m  out  of  n  designated  principals  approve.  However, 
with  constraints,  such  thresholding  is  easy  to  express.  For  example,  the  following  policy  rule 
states  that  Alice  supports  s  if  at  least  three  good  principals  also  support  s.  The  constraint 
different  k\  k-2  k 3  means  that  the  three  principals  k±,  k2 ,  and  k 3  are  distinct.  (This 
example  is  based  on  a  similar  example  in  a  paper  on  the  policy  language  SecPAL  [23] .) 

Alice  says  VAq,  k-2-,  k 3. 

{{{k\  says  s)  A  (^  says  s)  A  ( k 3  says  s)  A  (good  k\)  A  (good  k 2)  A  (good  k^)/\ 
(different  k\  k2  ks))  D  s ) 

4.2  Structural  Proof  Theory 

We  now  turn  to  the  centerpiece  of  this  thesis  -  the  proof  theory  of  BL.  We  describe  a 
natural  deduction  system  and  a  sequent  calculus  for  the  logic,  and  study  their  nretatheoretic 
properties.  The  technical  content  in  this  section  generalizes  structural  proof  theory  for 
BLs  (§3.2).  Before  presenting  the  inference  systems  we  discuss  how  constraint  domains  and 
interpreted  predicates  are  formally  represented  in  the  logic  since  they  are  crucial  to  both 
natural  deduction  and  the  sequent  calculus. 

4.2.1  Constraints  and  Interpreted  Predicates 

Unlike  uninterpreted  predicates  which  are  established  by  applying  inference  rules  of  the 
logic  to  hypotheses,  the  rules  for  establishing  constraints  and  interpreted  predicates  are 
not  stipulated  in  BL.  Instead,  both  constraints  and  interpreted  predicates  are  established 
through  external  solvers,  which  we  formally  reflect  in  the  logic  via  judgments  without  any 
specific  rules. 

Representation  of  constraint  domains.  Let  \k  =  c\, ...  ,cn  denote  a  set  of  constraints, 
possibly  containing  free  variables  that  are  implicitly  assumed  to  be  universally  quantified. 
Let  c  be  another  constraint  and  let  S  be  a  sorting  whose  domain  contains  all  the  free 
variables  of  'L  and  c.  We  write  E;  \k  |=  c  if  and  only  if  for  every  grounding  substitution 
6  whose  domain  includes  the  domain  of  E,  it  is  the  case  that  c\9 , . . .  ,cn6  entail  c6.  This 

3This  policy  rule  is  merely  an  illustration.  In  the  actual  implementation  of  PCFS,  the  state  of  a  file  is 
represented  through  an  extended  attribute  which  can  be  represented  in  BL  through  a  generic  interpreted 

predicate  has _ xattr,  and  the  owner  is  given  access  in  the  default  state  by  procaps,  not  a  policy  rule.  See  §7 

for  details. 
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entailment  may  be  classical,  i.e.  the  constraint  solver  may  simply  check  that  —*c\Q  V  . . .  V 
~'Cn0  V  c9  holds. 

Clearly,  the  constraint  domain  must  support  universally  quantified  variables.  For  cer¬ 
tain  fragments  of  the  logic,  this  requirement  can  be  waived.  In  particular,  if  both  universal 
quantification  and  implication  are  disallowed  on  the  right  hand  side  of  hypothetical  judg¬ 
ments  and  existential  quantification  is  disallowed  on  the  left,  then  the  constraint  domain 
does  not  need  to  take  into  account  universally  quantified  variables.  This  is  because  only 
the  rules  (dR),  (VR),  and  (3L)  of  the  sequent  calculus  (§4.2.4)  introduce  variables  in  E. 
Although  this  restricted  fragment  is  quite  expressive,  the  implementation  of  the  solver  for 
constraints  in  PCFS  takes  into  account  universally  quantified  variables  and  does  not  need 
this  restriction. 

Proof  theory  of  BL  uses  the  judgment  E;  'P  |=  c  as  a  “black-box”,  and  is,  therefore, 
oblivious  to  the  details  of  the  constraint  solver  used.  However,  in  order  to  obtain  nretathe- 
oretic  properties  of  the  inference  systems,  we  make  the  following  assumptions  about  the 
constraint  domain. 

(C-hyp)  S;  VP,  c  \=  c. 

(C-weaken)  E;  ^P  |=  c  implies  both  E;  VR,  c'  |=  c  and  E,  x\a\  'P  |=  c. 

(C-cut)  E;  VR  |=  c  and  E;  <P,  c  |=  c!  imply  E;  \P  |=  d . 

(C-subst)  E,.t:<t;  \P  |=  c  and  E  h  t  :  a  imply  E;  *P [t/x\  \=  c[t/x\. 

(C-refl-time)  E;  *P  |=  u  <  u. 

(C-trans-time)  E;  'P  |=  u  <  v!  and  E;  *P  |=  v!  <  u"  imply  E;  'P  |=  u  <  u" . 

(C-refl-prin)  E;  'P  |=  k  >z  k. 

(C-trans-prin)  E;  'P  |=  k  d  k'  and  E;  'P  |=  k'  y  k"  imply  E;  *P  |=  k  >z  k" . 

(C-inf-time)  E;  'P  |=  u  <  +oo  and  E;  \R  |=  — oo  <  u 

(C-loc-prin)  E;  'P  \=  i  >z  k 

(C-hyp),  (C-weaken),  and  (C-cut)  should  hold  for  any  reasonable  constraint  domain,  sim¬ 
ply  by  definition  of  entailment.  (C-subst)  means  that  the  constraint  domain  accounts  for 
universally  quantified  variables  correctly.  (C-refl-time)  and  (C-trans-time)  mean  that  the 
constraint  domain  must  treat  the  relation  u  <  v!  as  a  preorder.  (C-refl-prin)  and  (C-trans- 
prin)  impose  a  similar  condition  on  k  y  k' .  (C-inf-time)  and  (C-loc-prin)  ensure  that  +oo 

and  — oo  are  treated  as  the  greatest  and  the  least  time  points  respectively,  and  that  t  is  the 

strongest  principal. 

How  easy  is  it  to  implement  a  decision  procedure  for  solving  u  <  u'  and  k  >z  k',  the 
two  forms  of  constraints  mandated  by  BL?  It  turns  out  that  this  is  extremely  easy.  In  each 
case,  we  only  need  to  take  a  reflexive  transitive  closure  of  the  relations  assumed  in  *P  and 
check  that  the  goal  c  lies  in  the  result.  Both  the  front  end  (proof  search,  proof  verifier)  and 
the  back  end  (reference  monitor)  of  PCFS  implement  these  decision  procedures.  A  typical 
check  takes  around  2/rs  on  a  2.4GHz  Intel  Core  2  Duo  processor. 
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Representation  of  the  solver  for  interpreted  predicates.  Interpreted  predicates 
are  checked  directly  on  the  prevailing  state  of  the  system.  In  the  logic,  the  state  of  the 
system  is  abstractly  represented  as  a  set  of  interpreted  atoms,  denoted  E.  The  judgment 
E;  E  |=  i  means  that  for  all  grounding  substitutions  9  whose  domain  contains  the  domain 
of  E,  iO  e  E9.  In  order  to  prove  metatheoretic  properties  of  BL’s  inference  systems,  we 
make  the  following  assumptions  about  this  judgment,  all  of  which  should  be  intuitive  from 
its  definition. 

(S-hyp)  E;E,i  \=  i. 

(S-weaken)  E;  E  \=  i  implies  both  E;  E,  E'  (=  i  and  E,  x:cr;  |=  c. 

(S-cut)  E;  E  |=  i  and  E ;E,i  \=  i!  imply  E;  E  \=  i! . 

(S-subst)  E  ,x:a;E  \=  i  and  Eh  t:  a  imply  E^ff/x]  |=  i[t/x\. 

In  an  actual  implementation  it  may  be  infeasible  to  represent  the  entire  system  state  explic¬ 
itly  in  E  because  it  may  be  very  large  or  even  infinite.  Accordingly,  in  the  implementation 
of  PCFS,  only  certain  atoms  in  E  are  represented  explicitly.  These  are  atoms  that  are 
added  to  E  in  a  proof  rule,  e.g.,  (interE)  in  the  natural  deduction  system  (§4.2.2).  The  rest 
of  the  state  is  left  implicit  in  the  system,  and  is  checked  directly  by  the  solver. 

4.2.2  Natural  Deduction 

Our  presentation  of  BL’s  proof  theory,  as  also  for  the  case  of  BL5,  is  based  in  Martin-Lof’s 
judgmental  description  of  type  theory  [99]  and  draws  on  its  refinements  in  the  work  of 
Pfenning  and  Davies  [115].  More  directly,  the  treatment  of  says  in  BL  is  based  on  that  in 
BL,s,  and  the  treatment  of  time  is  based  on  that  in  rj  logic  [53,  54].  This  section  describes 
natural  deduction  for  BL  whereas  §4.2.4  covers  the  sequent  calculus. 

Basic  judgments  in  BL  are  relativized  to  time;  absolute  truth  of  formulas  independent  of 
time  cannot  be  asserted  in  BL.  We  use  two  basic  judgments  (denoted  J)  in  our  presentation: 
s  o  [ ui,U2 ]  which  means  that  s  holds  throughout  the  closed  interval  [14,1x2],  and  k  claims 
s  o  [1x1, 1x2]  which  means  that  k  supports  or  claims  throughout  the  interval  [ 1x1, 1x2 ]  that  s  is 
true.  The  symbol  o  is  read  “on”  or  “throughout”.  The  two  basic  judgments  do  not  entail 
each  other  in  general,  s  o  [14,1(2]  is  internalized  in  the  syntax  of  formulas  as  s  @  [14,1(2] 
whereas  k  claims  s  o  [14,112]  is  internalized  through  a  combination  of  two  connectives  as 
( k  says  s)  @  [14, 1x2]. 

Hypothetical  Judgments.  Hypothetical  judgments  of  BL,  which  are  the  subjects  of  its 
inference  rules,  take  the  form  E;  \k;  E;  T  \~v  s  o  [1x1, 1x2].  \k  and  E  are  assumed  constraints 
and  interpreted  atoms  respectively.  The  hypotheses  T  is  a  multiset  of  basic  judgments,  v 
is  called  the  view  of  the  hypothetical  judgment.  It  is  a  triple  that  contains  a  principal  and 
two  time  points,  written  ko,  Ub,  ue.  The  presence  of  time  points  Ub ,  ue  in  views  is  motivated 
by  practical  considerations  of  representing  policies  intuitively,  and  is  justified  in  §4.4. 
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Basic  Judgments  J 

Hypothetical  Constraints 
System  State  E 

Views  v 

Hypotheses  T 

Hypothetical  Judgments 


s  o  [tti,  u2]  |  k  claims  s  o  [z^! ,  u2] 
Cl  . . .  cn 
i\  .  . . in 

ko  i  V* b  5 

J] - Jn  (n  >  o) 

E^FjT  Pso  [u\,u2\ 


Analogous  to  inference  in  BL5,  natural  deduction  for  BL  is  guided  by  several  principles 
that  relate  its  judgments.  As  for  BLg,  the  view  principle  explains  the  role  of  views  in 
inference  and  is  incorporated  as  a  rule  in  natural  deduction  whereas  two  other  principles, 
the  substitution  principle  and  the  claim  principle,  are  proved  to  be  admissible  (§4.2.3). 
In  addition,  there  is  a  fourth  principle  in  BL,  called  the  time  subsumption  principle.  We 
describe  these  four  principles  below,  starting  with  time  subsumption. 


Time  subsumption  principle,  s  o  \ru\ ,  u2]  entails  s  o  [ui,u2]  if  u\  <  u\  and  u2  <  u'2. 

The  time  subsumption  principle  means  that  if  s  is  known  to  be  true  throughout  an  inter¬ 
val  [u  1 ,  1*2],  it  must  also  be  true  on  every  subinterval  [u!y .  u2].  This  principle  is  incorporated 
into  the  following  hypothesis  rule  of  natural  deduction.  For  conclusions  of  hypothetical 
judgments,  we  prove  the  principle  as  a  theorem  (Theorem  4.4). 

E;  'L  |=  u\  <u\  E;  'L  |=  u2  <  u2 
- hvp 

E;f;L;r,s  o  [m'i, u2]  Hso  [u\,u2] 

The  time  subsumption  principle  is  very  important  for  the  implementation  of  PCFS.  This  is 
explained  in  §4.3. 


View  principle.  While  reasoning  in  view  ko,Ub,ue,  the  assumption  k  claims  s  o 
entails  s  o  [ui,u2\  if  k  ^  ko,  u\  <  Ub  and  ue  <u2. 

Together  with  the  time  subsumption  principle,  the  view  principle  results  in  the  following 
rule  in  natural  deduction: 

v  =  k,  Ub,  ue  E;  'L  |=  v.\  <  u±  E;  di'  |=  u2  <  u2 
E;  4/  |=  u\  <  Ub  E;  'L  |=  ue  <  u2  E;  ’F  |=  k!  k 

_ claims 

E;  E;  E:  F,  k'  claims  s  o  [u^,  u'2]  \~u  s  o  [m,  u2] 

Substitution  principle.  E;  £1;  T  \~v  s  o  [ui,u2\  and  E;\k;Fi;r,s  o  [ui,u2]  \~u  s'  o 
W\ ,  u'2\  imply  E;f;F;rrs'o  K,  u'2\. 

The  substitution  principle  means  that  if  s  o  [iti ,  1*2]  is  assumed  explicitly  in  a  proof  of 
s'  o  [u'i,u2\  and  the  former  can  be  proved  directly,  then  so  can  the  latter.  We  prove  later 
that  this  principle  is  admissible  in  BL  (Theorem  4.5). 
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E;  4'  |=  u'i  <u\  E;  4>  |=  m2  <  m2 
E;f;L;r,so  [m^,  u'2\  Pso  [mi,  m2]  ^ 

v  =  fc,  Ub ,  ite  E;  4'  |=  m(  <  Mi  E;  4>  \=  u2  <  u2 

E;  4>  |=  Mi  <  Ub  E;  4>  |=  Me  <  m2  E;  d'  |=  k'  >z  k 

- - — — y- — - - - - - claims 

E;4>;  E\T,k  claims  s  o  [mj,  m2J  h  so[mi,m2J 

E-^-E-T\  hfc’Ul’“2  so  [Ui,u2] 

- t, - ; - r  say  sl 

E;f;£;ri-  k  says  so  [mi,  m2] 


E;  4>;  E;  T  h"  k  says  s  o  [mi,  m2]  E;  4>;  E\  T,  k  claims  s  o  [mi,  m2]  Y-v  s'  o  [uj,  m2] 

E^iBjrr  s'  o  [u[,u2} 


saysE 


S;f;£;rrgo[Mi,M2] 

E;  ^;E;T  h v  (s  @  [mi,m2])  o  [m^m^]  “ 

E;  4>;  E;  T  b"  s  @  [mi,  m2]  o  [m^,  m2]  E;  4>;  E;  T,  s  o  [mi,  m2]  h1'  s'  o  [u'[ ,  m2] 


E;  41;  E;  f  h"  s'  o  [m",u2] 


@E 


S;  4>  h 


E;  4,;£;rPco  [mi,m2] 

S  ;E\=i 
E;  4<;  E\  T  b"  i  o  [mi,m2] 


S^i^rPco  [«i,m2]  E;  4gc;  E;T  \-v  s'  o  [uj,u2] 
const  - — — — „  „  .  „ — t — —7 — 7- - consE 


E;$;£;rP  s'  o  [u\,u2] 

E;4';£;rh"jo[)ii,M2]  E;  4<;  E,  i;  T  b"  s'  o  [m'1;  m2] 
mterl  - — — - — _  _  .  v — -f — — — j- - inter hj 


E;  4';£,;T  b"  s  o  [m1;m2] 


Figure  4.2:  BL:  Natural  deduction,  part  1 

Claim  principle.  E;'P;.E;r|  bfc,Ul,U2  s  o  [u\,U2]  and  E;  4 '!\E\T,k  claims  s  o  [u\ .  U2]  \~v 
s'  o  [uj ,  u'2\  imply  E;  \h;  E;  T  \~u  s'  o  [u\ ,  u'2\ ■ 

The  claim  principle  defines  the  meaning  of  the  judgment  k  claims  s  o  [mi,  M2].  According 
to  the  principle,  the  judgment  k  claims  s  o  [mi,  m2]  can  be  substituted  by  a  proof  of  s  o  [mi,  m2] 
provided  that  the  latter  was  obtained  in  the  context  k,ui,U2,  and  only  from  claims  of 
principals.  The  restriction  operator  T|  removes  from  T  all  judgments  of  the  form  r  o  [ub,  ue]- 

T|  =  {(fco  claims  r  o  (ub,  ue})  G  T} 

We  prove  the  admissibility  of  the  claim  principle  as  a  theorem  (Theorem  4.6). 

Inference  rules.  Figures  4.2  and  4.3  show  the  rules  of  the  natural  deduction  proof  system. 
Figure  4.2  contains  rules  pertaining  to  hypotheses  and  connectives  other  than  those  of  first- 
order  logic.  Figure  4.3  contains  rules  pertaining  to  connectives  of  first-order  logic.  As 
usual,  we  have  introduction  and  elimination  rules  for  each  connective  (marked  I  and  E 
respectively).  For  a  syntactic  entity  S,  E[t/x\  denotes  the  capture  avoiding  substitution  of 
term  t  for  variable  x  in  S. 
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E;  'I';  E\  rPsjo  [mi,  u2]  E;f;£;rPs2°  [wi,  u2] 

E;  4>;  E\  T  \-v  Si  A  s2  °  [«i,  u2] 


AI 


E;  4';  E ;  T  h"  si  A  s2  0  [«i,  u2] 
E;  4>;E?;r  b"  si  o  [ui,u2] 

E;  4/;  E\  T  h1'  si  o  [ui,u2] 

E;  4';  S;  T  h1"  si  V  s2  0  [tti,  w2] 


AEi 


Vli 


E;  4';  E]  T  h"  Si  A  s2  o  [m1;  u2] 
E;  4>;  E;  T  h"  s2  o  [ui,  u2) 

S;  4/;  E\  T  h"  s2  o  [iti,u2] 

E;  4q  Ei;  T  h1"  si  V  s2  o  [u1?  u2] 


AE2 


Vl2 


E;  4^;  E;  T  \-v  si  V  s2  o  [ui,  it2] 

E;  4q  EJ;  T,  Si  o  [u1;  u2]  V"  s'  o  [u^,  u2]  E;  4 >;E;  T,  s2  o  [u1;  u2]  h"  s'  o  [uj,  u2] 

LLLEPs'o  [<p4] 

E;  4>;  Ei;  T  h"  lo  [Ul,u2] 


VE 


-TI 


J_E 


E;  4>;  E;  T  T  o  [uuu2]  E;f;£;rP  s  o  [u'1:u'2\ 

E,  centime,  x2:time;  4>,  ui  <  xi,  x2  <  w2;  E\  T,  si  o  [x\,  x2]  b"  s2  o  [aq,  a;2] 
E;  4/;  E\  T  b"  Si  D  s2  o  [u1;  u2] 


Dl 


E;  4^;  Ei;  T  si  D  s2  o  [ui,  zt2] 

E;  4>;  E\  r  h"  si  o  [iq .  u2]  E;  4>  |=  u\  <  u\  E;  4/  | =  u2  <  u2 


E;L£;rPS2o[«i,«'] 


DE 


E,  x:a ;  4>;  Ei;  T  \-v  s  o  [iq,  u2] 


VI 


E;  4A  E;  T  h1'  \/x:a.s  o  [ui,  it2]  E  b  t  :  cr 


E;  4>;  Ei;  T  h"  Wx:a.s  o  [ui,m2]  E;  4>;  E\  T  b1'  s[t/x\  o  [ziX ,  u2\ 

E;  41;  E;  T  h"  s[t/x]  o  [m,  u2]  E  b  i  :  <7 
E;  4A  E;  T  \-v  3x:a.s  o  [m,  u2] 

E;  4>;  E\  T  b"  3x:a.s  o  [u\,  u2]  E,  x:a ;  4>;  Ei;  T,  s  o  [iq,  u2]  b"  s'  o  [itj,  u2] 
E;  s'  o  [ui,u2] 


VE 


3E 


Figure  4.3:  BL:  Natural  deduction,  part  2 


Rules  (hyp)  and  (claims)  in  Figure  4.2  allow  the  use  of  hypotheses  of  the  forms  s  o 
[tti,U2]  and  k  claims  s  o  [iti,  1*2]  respectively.  As  mentioned  earlier,  they  capture  the  time 
subsumption  and  view  principles  in  the  proof  system.  Rule  (saysl)  can  be  justified  using 
the  claim  principle.  Since  k  says  s  o  [ui,u2]  is  logically  equivalent  to  k  claims  s  o  [ui,v,2], 
the  claim  principle  implies  that  ( k  says  s)  o  [«i,  U2]  should  be  provable  whenever  s  o  [m1;  u2) 
can  be  proved  in  the  view  k,  u\,u2  with  hypotheses  T| .  The  latter  is  exactly  the  premise  of 
(saysl).  It  should  be  observed  that  (saysl)  is  the  only  rule  in  natural  deduction  that  changes 
the  view,  and  further  that  there  is  a  strong  interaction  between  says  and  explicit  time  in  BL 
-  the  two  time  points  in  a  view  are  obtained  from  the  last  application  of  (saysl) ,  progressing 
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backwards  on  a  derivation.  The  elimination  rule  (saysE)  is  straightforward;  it  means  that 
a  proof  of  k  says  s  o  [111,112]  can  be  used  to  substitute  the  equivalent  judgmental  form 
k  claims  s  o  [111,112]  from  another  proof  with  the  same  hypotheses. 

Rule  (@I)  states  that  in  order  to  establish  s  @  [1*1,112]  during  any  interval  [u\ ,  u^] . 
it  suffices  to  establish  s  o  [iq ;  1*2].  Dually,  rule  (@E)  means  that  s  @  [1*1,112]  o  \u\ ,  v/2] 
is  stronger  than  s  o  [ui,u2].  Together  the  rules  imply  that  s  @  [111,112]  o  [it) ,  1*3]  and 
s  o  [111,112]  are  equivalent  as  judgments,  as  well  as  property  (12)  from  §4.1.1. 

According  to  rule  (consl),  c  o  [1*1,142]  may  be  established  by  showing  c  in  the  prevailing 
constraint  hypotheses  'L.  Dually,  if  c  o  [m,  1*2]  can  be  established  then  the  constraint  c  may 
be  assumed  in  (rule  (consE)).  The  two  rules  together  mean  that  the  interpretation  of 
constraints  is  independent  of  time,  which  was  also  discussed  earlier  in  §4.1.1.  Rules  (interl) 
and  (interE)  for  interpreted  atoms  are  very  similar  to  rules  (consl)  and  (consE)  respectively. 
Indeed,  constraints  and  interpreted  predicates  are  so  similar  to  each  other  from  a  proof- 
theoretic  perspective  that  they  can  be  merged  into  one  syntactic  class  without  affecting  the 
proof  theory  and  metatheory  of  BL  significantly.  However,  since  the  truth  of  interpreted 
predicates  changes  with  system  state,  whereas  that  of  constraints  does  not,  the  two  must  be 
treated  differently  during  proof  verification  in  PCFS  (§5).  Hence  we  maintain  a  distinction 
between  their  syntactic  classes. 

Since  most  connectives  of  first-order  logic  commute  with  @  in  BL  (see  §4.1.1),  in  their 
corresponding  inference  rules  in  Figure  4.3,  time  intervals  do  not  change.  For  example,  to 
establish  si  A  S2  o  [141,1*2],  it  suffices  to  establish  si  o  [1*1,142]  and  S2  o  [**1,1*2]  (rule  (Al)). 
Implication  is  the  only  connective  of  first-order  logic  that  has  an  interesting  interaction  with 
explicit  time.  As  mentioned  in  §4.1.1,  having  a  proof  of  (si  D  S2)  @  [111,1*2]  is  equivalent 
to  having  a  proof  of  S2  @  [x\,X2]  from  the  assumption  sq  @  [x\,X2]  for  every  subinterval 
[x\,X2]  of  [111,1*2].  The  rule  (Dl)  lifts  this  intuition  to  judgments:  in  order  to  establish 
si  D  s 2  o  [1*1,112],  it  suffices  to  show  that  for  any  two  time  variables  xi,X2  such  that 
ill  <  xi  and  X2  <  1*2,  it  is  the  case  that  si  o  [x\,x?\  entails  S2  o  \xi,xq\.  Dually,  the 
rule  (dE)  means  that  if  there  are  proofs  of  si  D  S2  o  [1*1,112]  and  si  o  \u\ ,  1*2] ,  where 
[1*1,112]  C  [1*1,112],  then  there  is  also  a  proof  of  S2  o  [u),**^]. 

A  note  on  analysis  of  constraints.  As  should  be  evident  from  the  rules  of  Figures  4.2 
and  4.3,  it  is  impossible  to  analyze  the  structure  of  constraints  in  proofs  of  BL.  In  particular, 
BL  lacks  two  common  rules  that  previous  descriptions  of  constraint  domains  in  logic  have 
allowed  (see,  e.g.,  [84]).  The  first  of  these  rules  allows  a  deduction  of  any  formula  from 
a  contradictory  constraint.  For  example,  it  makes  (1  <  0)  D  s  admissible.  The  second 
rule  allows  a  case  analysis  on  constraints.  Were  the  second  rule  to  be  admitted  in  BL, 
it  would  suffice  to  show  that  s  holds  on  [1*1,11]  and  also  on  [11,1*2],  possibly  through  two 
different  proofs,  in  order  to  conclude  that  s  holds  on  [1*1,112].  Thus  ((s  @  [it  1,11])  A  (s  @ 
[11,1*2]))  D  (s  @  [111,1*2])  would  be  provable.  In  BL,  we  refrain  from  allowing  any  such 
analysis  of  constraints  within  the  logic  for  three  reasons.  First,  because  constraints  are 
not  justified  through  explicit  evidence,  allowing  their  analysis  through  the  logic’s  rules 
may  result  in  reduced  accountability  in  proofs.  Second,  this  design  decision  allows  us  to 
prove  that  any  proof  term  which  witnesses  s  @  [1*1,112]  also  witnesses,  without  change, 


82 


Chapter  4.  BL:  An  Authorization  Logic  for  Dynamic  Policies 


s  @  \u\ .  u'2}  for  any  [u\ ,  v/2]  C  [tti,tt2]  (Theorem  5.5).  This  result  is  of  practical  importance 
in  the  implementation  of  PCFS,  as  explained  in  §4.3.2.  Third,  it  is  not  clear  whether  an 
automatic  theorem  prover  can  decide  when  to  analyze  constraints  during  proof  search,  so 
describing  a  complete  proof  search  strategy  for  the  logic  may  be  impossible  if  analysis  of 
constraints  is  allowed. 


4.2.3  Metatheory  of  Natural  Deduction 


We  prove  several  metatheoretic  properties  of  the  natural  deduction  system  of  BL,  many 
of  which  generalize  properties  of  BL^  (§3.2.2).  Besides  structural  properties  (weakening 
and  contraction),  we  show  that  instantiation  as  well  as  the  substitution,  claim,  and  time 
subsumption  principles  are  admissible. 


Theorem  4.1  (Weakening  and  Contraction).  The  following  hold: 


1.  (Weakening) 


(a)  E;  'L;  E\  T  \~u  s  o  [ui,  it2] 

(b)  S;$;£;rBso[Ul,«2] 

(c)  L"  s  o  [ui,u2\ 

(d)  so  [Ul,u2} 


implies  E,  x:cr,  E\  T  \~u  s  o  [u\,  it2] 
implies  E;  \k,  c;  E\  T  \-u  s  o  [ui,  tt2], 
implies  E;  \k;  E,i]T  \~u  s  o  [tti,  it2]. 
implies  E;  \k;  E\T ,  J  \~u  s  o  [14, u2]. 


2.  ( Contraction)  E;  'L;  E\  T,  J,  J  \~u  s  o  [u\,  tt2]  implies  E;  'L;  E;  T,  J  \~v  s  o  [«i,  w2] . 


Further  the  derivation  in  the  consequent  of  each  statement  has  a  depth  no  more  than  that 
of  the  antecedent . 1 


Proof.  By  separate  induction  on  the  given  derivation  for  each  property. 


□ 


Theorem  4.2  (Instantiation).  E,  x:a;  \k;  E\  T  Bso  [«i,rt2]  and  E  h  t  :  a  imply  E;  [t/a?] ; 
E[t/x\;T[t/x\  s[t/x\  o  [Ul[t/x],  u2[t/x}} 

Proof.  By  induction  on  the  derivation  of  E,  x:a;  \k;  E;  T  \~u  s  o  [«i,  tt2]-  □ 

The  following  subsumption  property  for  views  is  analogous  to  Theorem  3.4  for  BLg. 
Theorem  4.3  (View  subsumption).  Suppose  the  following  hold: 

1.  E;  E\  T  \-v  s  o  [ul5  u2] 

2.  V  =  k0,Ub,Ue 

3.  E;  'L  |=  fco  k'Q,  E;  'L  |=  Ub  <  u'h,  and  E;  |=  u'e  <  ue. 

4The  depth  of  a  derivation  is  defined  as  the  maximum  number  of  BL’s  inference  rules  on  a  path  in  the 
derivation  that  starts  from  its  conclusion  and  ends  at  a  leaf.  Rules  needed  to  establish  auxiliary  judgments 
like  S  b  t  :  a,  E;  ^  (=  c,  and  E;  E  |=  i  are  not  part  of  BL’s  inference  rules  and  do  not  count  towards  the 
depth. 
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4.  i/  =  k'0 ,u'b,u'e 

Then  S;  4';  E]  T  \-u  so  [tti,  U2]  by  a  derivation  of  smaller  or  equal  depth. 

Proof.  By  induction  on  the  given  derivation  of  E;  41;  E]T  h1'  so  \ui,u-2\  and  case  analysis 
of  its  last  rule.  There  is  only  one  interesting  case  which  is  shown  below. 

v  =  ko,  Ub,  ue  E;  \h  |=  u\  <u\  E;  4^  |=  U2  <  u2 

E;  |=  u'i  <  Ub  E;  |=  ue  <  u2  E;  'L  |=  k'  y_  k$ 

Case.  - 7 - —7 — 7- — - 7 - - - claims 

E;  'L;  E\  T,  k  claims  s  o  [u\ ,  u2]  \~  s  o  [u\,U2] 

To  show:  E;  \h;  E;  T,  k'  claims  s  o  [u'-y,  u2\  \~u' s  o  [ur,  u2] 


1.  E;  41  |=  ub  <  u'b 

(Assumption  3) 

2.  E;  4/  |=  u'i  <  Ub 

(Premise) 

3.  E;  4/  =  u\  <  u'h 

((C-trans-time)  from  §4.2.1  on  1,2) 

4.  E;  'L  |=  u'e  <  ue 

(Assumption  3) 

5.  E;  'L  |=  ue  <  u2 

(Premise) 

6.  E;  ^  |=  u'e  <  u'2 

((C-trans-time)  from  §4.2.1  on  4,5) 

7.  T-^^koh  k'0 

(Assumption  3) 

8.  E;  'L  |=  k!  ko 

(Premise) 

9.  E;  V  |=  k!  P  k'0 

((C-trans-prin)  from  §4.2.1  on  7,8) 

10.  E;  E;  T,  k!  claims  s  o  [u^,  n'2]  \~u  so[u1)u2] 

(Rule  (claims)  on  2nd, 3rd  premises  and  3,6,9) 

The  depths  of  the  given  derivation  and  the  derivation  constructed  above  are  each  equal 
to  1.  □ 

Next  we  show  that  the  time  subsumption  principle,  substitution  principle,  and  the  claim 
principle  are  admissible  in  BL. 

Theorem  4.4  (Time  subsumption).  Suppose  the  following  hold: 

1.  E;  41;  E;  T  \~v  s  o  [rq,  u2] 

2.  E;  'L  |=  u\  <  un 

3.  E;  4/  |=  um  ’  ■  U2 

Then  E;  'l';  E;  T  \~u  s  o  [un,  um ]. 
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Proof.  By  induction  on  the  depth  of  the  given  derivation  of  E;  \k;  E\  T  \~u  s  o  [m,  u2]  and  case 
analysis  of  its  last  rule.  The  proof  appeals  to  Theorem  4.3  and  a  lemma  about  substitution 
of  constraints.  See  Theorem  B.2  in  Appendix  B  for  details  of  the  lemma  as  well  as  some  of 
the  interesting  cases  of  the  proof.  □ 

Like  many  other  theorems  in  this  section,  ensuring  that  the  time  subsumption  principle 
holds  requires  care.  For  example,  if  we  were  to  replace  the  rule  (@E)  by  the  following  rule 
(@E’),  which  is  also  admissible  in  BL  and  perhaps  a  more  obvious  choice,  then  the  time 
subsumption  principle  would  no  longer  hold. 

S;'P;E;r  \~u  s  @  [ui,u2\  o 

Pso  [ui,u2] 

Theorem  4.5  (Substitution).  Suppose  the  following  hold: 

1.  E;  \k;  E;  T  P"  s  o  [iq,  u2] 

2.  E;  \k;  E\  T,  s  o  [iq,  u2\  \~u  s'  o  [it),  u'2] 

Then  E;  *k;  E;  T  Y~v  s'  o  [u\ ,  u'2\ . 

Proof.  By  induction  on  the  given  derivation  of  E;  \k;  E;  T,  s  o  [rti,u2]  \~u  r  o  \u\ .  u'-f\  and 
a  case  analysis  of  its  last  rule.  The  only  interesting  case  of  the  proof,  which  appeals  to 
Theorem  4.4  is  shown  below. 

S;  'P  |=  ui  <  u\  E;  ^  |=  u2  <  u2 

Case.  - - - - — - — — r-hyp 

E;  'L;  E;T,s  o  [ui, u2]  \~  s  o  [it^, u2] 

To  show:  E;  \k;  E;  T  \~v  s  o  [u^,  u'2] 

1.  E;  \H;  E\  T  \-v  s  o  [ui,  u2] 

2.  E;  ik  |=  u\  <  u\  and  E;  \k  |=  u'2  <  u2 

3.  E;$;L;Trso  [u\ ,  u'2] 

o 


(Assumption) 
(Premises) 
(Theorem  4.4  on  1,2) 


Theorem  4.6  (Claim).  Suppose  the  following  hold: 

1.  E;  'k;  E;  T|  hk’ul'U2  s  o  [«i,«2] 

2.  E;  'k;  E;  T,  k  claims  s  o  [ui,u2]  \~v  s'  o  [it) ,  u'.f\ 
Then  E;  41;  E\  T  \~u  s'  o  [u\ ,  u'2] . 
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Proof.  By  induction  on  the  given  derivation  of  E;  E\  T,  k  claims  s  o  [m,U2]  \~u  s'  o  [u^u^], 
and  case  analysis  of  the  last  rule  in  it.  The  interesting  cases  are  shown  below. 

v  =  k' ,  Ub ,  ue  E;  'L  |=  u\  <  u\  E;  'L  |=  u2  <  rt2 

E;  |=  u\  <  Ub  E;  \k  |=  ue  <  u2  E;  'F  |  =  k  y  k' 

Case.  - - - - — - — t- - claims 

E;  \F;  E\  T,  k  claims  s  o  [rti,  tt2]  \~  s  o  [rq,  u2] 

To  show:  E;'F;L;ri-I'so  [u\ ,  u'-fl 


1.  T|  hk’Ul’U2  s  o  [Ul  ,u2] 

2.  E;$;L;Thlw2  s  o  [Ul ,u2] 

3.  E;  E;  T  \~u  s  o  [tii,  tt2] 

4.  ^^]E-Thu  s  o  [u\ ,  u'2\ 


(Assumption  1) 
(Weakening  Theorem  4.1  on  1) 
(Theorem  4.3  on  2  and  premises  4-6) 
(Theorem  4.4  on  3  and  premises  2,3) 


E;  \H;  E;  T|,  k  claims  s  o  [«i,  it2]  Pfc  ,ui,u2  s'  o  [u'i,u'2\ 

se.  - — —  saysl 

E;  \k;  E;  T,  k  claims  s  o  [m,  tt2]  \~u  k  says  s  o  [u\_,  u2] 

To  show:  E;  \k;  E]  T  h"  ( k '  says  s')  o  [u\ ,  u'2\ 


1.  (F|)|  =F| 

(Definition) 

2.  E;  \k;  E]  (T | ) |  s  0  [m,  u2] 

(1  and  Assumption  1) 

3.  E;  'L;  Fi;  r|  bfc>j,<4  0  [u'^u'2] 

(i.h.  on  2  and  premise) 

4.  E;  \k;  E;  F  \~u  ( k '  says  s')  0  [u) .  u2] 

(Rule  (saysl)  on  3) 

□ 


4.2.4  Sequent  Calculus 

As  discussed  in  §3.2.3,  in  a  sequent  calculus  inference  rules  apply  to  both  the  hypotheses 
and  conclusion  of  hypothetical  judgments,  and  always  decompose  connectives  when  going 
from  the  conclusion  to  premises.  Hypothetical  judgments  in  a  sequent  calculus  are  called 
sequents.  They  have  the  same  form  as  the  hypothetical  judgments  in  natural  deduction, 
but  we  use  a  different  entailment  symbol  in  sequents  to  distinguish  the  two  inference 
systems. 

Sequents  ::=  E;  'L;  E\  T  ^  r  o  [u\,  rt2] 

Inference  rules  in  a  sequent  calculus  are  categorized  as  either  left  or  right,  marked  L  and 
R  respectively,  according  to  the  location  of  the  formula  they  decompose  relative  to  the 
entailment  symbol.  The  rules  of  the  sequent  calculus  for  BL  are  shown  in  Figures  4.4 
and  4.5.  Rules  pertaining  to  the  use  of  hypotheses  and  those  pertaining  to  connectives  not 
in  first-order  logic  are  in  Figure  4.4,  while  the  remaining  rules  are  in  Figure  4.5. 
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E;  4'  |=  u[  <u\  E;  4'  \=  u2  <  u'2 
- 1/ - init 

o  [u'^Ui]  -^po  [ui,u2\ 

E;  4q  E;T,k  claims  s  o  [mi,  m2],  s  o  [mi,  m2]  —*  r  o  [m^,  u2\ 
v  =  k' ,  rtfc,  rte  E;  4'  |=  ui  <  Ub  E;  4>  |=  ue  <  u2  E;  4*  \=  k  y  k' 

E;  4>;  E\  T,  k  claims  s  o  [mi,  M2]  ^  r  o  [u^,  u2) 


claims 


k.lL-l.UO  r  -1 

E;  \I>;  E\  T|  - »  s  o  [m,  u2] 


saysR 


saysL 


E;  4q  E\  T  — >  k  says  s  o  [mi,  M2] 

E;  4>;  E;  T,  k  says  s  o  [mi,  M2],  k  claims  s  o  [mi,  M2]  hro  [m^,  u'2] 

E;  4 >\E\  r,  k  says  s  o  [mi,  M2]  r  o  [m^,  u'2\ 

T,-^;E-,T  ^  so  [mi,m2] 

E;  4^;  Li;  T  s  @  [mi,  m2]  o  [m'1;  m2] 

S;  4>;  E;  T,  s  @  [u'1;  u2]  o  [mi,  m2],  s  o  [m(,  m'2]  r  o  [m",  m2]  @l 

E;  4^;  E-,  T,  s  @  [ui.M'a]  o  [mi,  m2]  ^  r  o  [m",  m2] 

E;4>|=c  ^  E;  4>,  c;  E-  T,  c  o  [mj.,  M2]  r  o  [m'1;  m2] 

E;  4q  E;  T,  c  o  [mi,m2]  r  o  [m'^Mj] 


E;  4>;  Li;  r  A*  c  o  [mi,m2] 

S;£h» 

E;  4>;  E;  T  4L  i  o  [mi,m2] 


-consR 


consL 


interR 


E;  4^;  E,i;T,i  o  [mi,m2]  r  o  [m^m^]  , 
E;  4q  E;  T,  i  o  [mi,  m2]  r  o  [u[,  u2] 


interL 


Figure  4.4:  BL:  Sequent  calculus,  part  1 


Rule  (init)  in  Figure  4.4  allows  an  atomic  hypotheses  p  o  \u\ ,  u2\  to  be  used  to  conclude 
p  o  (up ,  m2]  if  [u\ .  u2\  is  a  superset  of  [mi,m2].  The  generalization  of  this  rule  to  arbitrary 
formulas  corresponds  exactly  to  the  rule  (hyp)  from  natural  deduction,  and  is  proved  to  be 
admissible  (Theorem  4.13).  Rule  (claims)  captures  exactly  the  view  principle  from  §4.2.2  in 
the  sequent  calculus.  It  should  be  noted  that  its  homonym  in  natural  deduction  is  stronger 
since  that  also  incorporates  the  time  subsumption  principle.  However,  the  two  rules  are 
equivalent  in  the  presence  of  the  time  subsumption  principle  (Theorem  4.14). 

All  other  rules  decompose  connectives.  The  right  rules  for  each  connective  are  iden¬ 
tical  to  corresponding  introduction  rules  in  natural  deduction,  with  the  exception  of  the 
difference  in  the  entailment  symbol.  Left  rules  in  the  sequent  calculus  fulfill  the  same  pur¬ 
pose  as  elimination  rules  in  natural  deduction.  However,  they  decompose  connectives  in 
the  hypotheses,  when  the  rule  is  read  from  conclusion  to  premises.  Rule  (saysL)  in  Fig¬ 
ure  4.4  means  that  if  k  says  so  [u  \ ,  m2]  is  assumed  in  a  proof,  then  so  may  the  hypothesis 
k  claims  s  o  [mi,m2],  since  the  two  are  logically  equivalent  to  each  other.  Rule  (consL) 
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£;  'L;  E;  r  4L  Sl  O  [Ul ,  u2 ]  E;  4q  E;  T  44  s2  °  [ux ,  u2] 

- y - AK 

E;  4';  E\  T  — »  sx  A  s2  °  [ui,  1*2] 

E;  if;  I\  si  A  s2  o  [ui,u2],Si  o  [ui,u2],s2  o  [ui,u2]  44  r  o  [u^Uj] 

- jy - 

E;  4';  E\  T,  Si  A  s2  o  [u1;  u2]  — >  r  o  [t/i,u2] 

E;W;ii;r  44  Si  o  [u!,u2]  E;  4q  E;  T  44  s2  o  [ui,  u2] 

- 7; - VKi  - - - VK2 

E;  4';  E]  T  -*  Si  V  s2  o  [ui,it2]  Ej^j^jT  — *•  Si  V  s2  o  [ux,u2] 

E;  4>;  E-,T,si  V  s2  o  [ui,it2],si  o  [ul5u2]  44  r  o  [u'^iQ 
E;  4';  Li;  r,  Si  V  s2  o  [u1,it2],s2  o  [tti,«2]  44  r  o  K,u2] 

- jy - VIj 

E;4';£;r,s1  V  s2  o  [u1;u2]  — >  r  o  [u^u^ 

- 77 - TR  - - - LL 

E;4>;.E;r  — >  T  o  [iti,u2]  E;T,±.  o  [ui,u2]  -*  r  o  [ux,u2\ 

E,  aqitime,  x2:time;  4',  u\  <  Xi,x2  <  w2;  E;  T,  sx  o  [xi,x2]  44  s2  o  [x\,  x2\ 
- v - 7>R 

E ;4>;.E;r  — >  sx  D  s2  o  [ui,w2] 

E;  47;  E;  T,  Si  D  s2  o  [ui,  u2]  —4  si  o  [u[,  u'2\ 

E;  4 ';E;  T,  sx  D  s2  o  [ui,«2],  s2  o  [m'i,  u2]  4ro  [u'{,  u2]  E;  4<  |=  ux  <  u[  E;  4<  |=  u2  <  u2  ^ 

E;  4<;  E;  T,  sx  D  s2  o  [ui,  u2]  44  r  o  [u",  u2] 

E,  x:a\  4';  E1;  r  44  s  o  [ui,u2] 

- z - VR 

E;  4>;  E\  T  — >  Vx:cr.s  o  [m,  u2\ 

E;  4';  E;  T,  Va ::a.s  o  [ux,  u2\,  s[t/x\  o  [iq,  u2 ]  —>  r  o  [u'i,  u2]  E  b  t  :  a 
- v - - - VL 

E;  4';  E\  T,\/x:a.s  o  [iti,  u2]  — ■>  r  o  [it'i,^] 

E;  4';  E\  T  44  s[£/a;]  o  [ux,  u2]  Eh  t :  cr 
- 7, - 3R 

E;  4';  E]  T  — *  3x:a.s  o  [ui,u2] 

E,  x\<j\  4';  E;  T,  3a;:er.s  o  [iq,  u2],  s  o  [u\,u2\  44  r  o  [uj,  u2] 
- v - 3L 

E;  4';  E;  T,  3a::er.s  o  [u\,u2\  — *  r  o  [iti,u2] 

Figure  4.5:  BL:  Sequent  calculus,  part  2 

means  that  the  assumption  c  o  entails  the  constraint  c,  which  we  already  justified 

in  §4.1.1.  Rule  (interL)  is  similar,  except  that  it  applies  to  interpreted  atoms.  The  left 
rules  in  Figure  4.5  correspond  to  the  properties  in  §4.1.1.  The  only  remarkable  rule  here 
is  (dL),  which  allows  the  assumption  s2  o  \u\ ,  u'2]  to  be  introduced  (second  premise)  if 
si  D  s2  o  [ui,u2]  holds  during  some  interval  [«i,u2]  D  \u\ ,  u1^ ,  and  o  .  v/2]  is  provable 
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(first  premise).  This  follows  from  our  intuitive  understanding  of  implication  in  BL. 

Example  4.7  (Properties  from  §4.1.1).  Although  all  judgments  in  BL  are  relativized  to 
time,  we  may  define  a  priori  provability  of  formula  s,  written  P  s,  as  an  abbreviation  for 
[— oo,  +oo]  where  E  assigns  sorts  to  all  variables  in  s  and  n  is  a  view  made  of 
three  fresh  constants.  With  this  definition,  all  properties  of  §4.1.1,  including  those  of  the 
form  \f  s,  can  be  established  using  the  rules  in  Figures  4.4  and  4.5.  In  addition,  \f  _L,  so  BL 
is  consistent. 


4.2.5  Metatheory  of  the  Sequent  Calculus 

Next  we  prove  several  important  nretatheorems  for  the  sequent  calculus  of  BL  including 
admissibility  of  cut,  which  encompasses  both  the  substitution  principle  and  the  claim  prin¬ 
ciple  (Theorems  4.5  and  4.6),  as  well  as  the  identity  principle,  which  generalizes  the  (init) 
rule  of  Figure  4.4  from  uninterpreted  atoms  to  arbitrary  formulas.  These  two  theorems 
together  are  often  considered  proof-theoretic  analogues  of  soundness  and  completeness  for 
inference  systems,  particularly  because  they  imply,  and  are  essential  in  the  proof  of,  equiv¬ 
alence  of  natural  deduction  and  the  sequent  calculus  (Theorem  4.14).  Admissibility  of  cut 
also  implies  that  natural  deduction  proofs  can  be  reduced  to  a  normal  form,  a  fact  that  we 
prove  in  §4.5. 


Theorem  4.8  (Weakening  and  Contraction).  The  following  hold: 


1.  (Weakening) 


(a)  E;$;£;r^so[ui,«2] 

(b)  E;$;£;rASo[Hl,«2] 

(c)  E;  \H;  E;  T  ASo  [ui,u2] 

(d)  E;\H;E;r  A  s  o  [iq,it2] 


implies  E,  x:cr;  41;  E;  T  A  s  o  [rq,  n2] 
implies  E;  'L,  c;  E;  T  -^so  [rq,  u2]  ■ 
implies  E;  \k;  E,  i\  T  ^so  [iq,  u2]. 
implies  E;  \H;  E;  T,  J  s  o  [u\,u2] . 


2.  ( Contraction)  E;  \k;  E;  T,  J,  J  A  s  o  [u\,u2]  implies  E;  \k;  E\  T,  J  Ago  [rq,  u2\. 


Further  the  derivation  in  the  consequent  of  each  statement  has  a  depth  no  more  than  that 
of  the  antecedent. 


Proof.  By  separate  induction  on  the  given  derivation  for  each  property.  □ 

Theorem  4.9  (Instantiation).  E,x:cj;  \k;  E;T  —>  s  o  [tq,ti2]  and  E  h  t  :  a  imply  E;  'L[t/x]; 
E[t/x\;T[t/x\  s[t/x\  o  [ui[t/x],u2[t/x\\ 

Proof.  By  induction  on  the  derivation  of  E,  x:cr;  \k;  E\  T  s  o  [rq,  u2\.  □ 

Theorem  4.10  (View  subsumption).  Suppose  the  following  hold: 


1.  E;  \k;  E;  T  A  s  o  [ui,u2] 

2.  v  =  k0,ub,ue 
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3.  E;  'L  |=  fco  >:  k'0,  E;  'L  \=  Ub  <  ub,  and  E;  \h  |=  u'e  <  ue. 

4.  v' =  k'0,u!b,u'e 

v' 

Then  E;  E\  T  — >  s  o  [u\,  U2]  by  a  derivation  of  smaller  or  equal  depth. 

Proof.  By  induction  on  the  given  derivation  of  S;  \P;  .£7;  T  ^so  [ui,ri2]  and  case  analysis 
of  its  last  rule.  There  is  only  one  interesting  case  which  is  shown  below. 

E;  E;  T,  k  claims  r  o  [u^,  u'2],r  o  [u\ ,  u2\  s  o  [ui,  u2] 

v  =  ko,  Ub,  ue  E;  4^  |=  u\  <  Ub  E;  |=  ue  <  u2  E;  'L  |=  k  P  ko 

Case.  - - - - — - — - claims 

E;  \h;  E\  T,  k  claims  r  o  [ui,uf\  — >  s  o  [14,  u2] 

v' 

To  show:  E;  \h;  E\  T,  k  claims  r  o  [u\,  u2\  — >  s  o  [ul5  u2] 


1.  E;  'L  \=  ub  <  u'b 

(Assumption  3) 

2.  E;  'L  \=  u\  <  Ub 

(Premise) 

3.  E;  'L  \=  u\  <  u'b 

((C-trans-time)  from  §4.2.1  on  1,2) 

4.  E;  'L  \=  u'e  <  ue 

(Assumption  3) 

5.  E;  'L  |=  ue  <  u2 

(Premise) 

6.  E;  4/  |=  u'e  <  u2 

( (C-trans-time)  from  §4.2.1  on  4,5) 

7.  E;  |=  k0  P  K 

(Assumption  3) 

8.  E;  4/  \=  k!  ko 

(Premise) 

9.  E;  ^  |=  k!  P  k'0 

((C-trans-prin)  from  §4.2.1  on  7,8) 

10.  E;  E\  T,  k  claims  r  0  [u\ ,  u2\,r  0  \u\,  u2]  — >  s  0 

[«i,w2]  (i.h.  on  1st  premise) 

2/ 

11.  E;  E]  T,  k'  claims  s  0  \u\ ,  u2]  — >  s  0  [u\,  w2] 

(Rule  (claims)  on  10,3,6,9) 

□ 

Theorem  4.11  (Time  subsumption).  Suppose  the  following  hold: 

1.  E;^;E;T  A  s  o  [tti,«2] 

2.  E;  \h  |=  Mi  <  un 

3.  E;  T  |=  um  '  U2 

Then  E;  E]  T  ^  s  o  [ un ,  um}. 
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Proof.  By  induction  on  the  depth  of  the  given  derivation  of  X;\k;.E;r  —>■  s  o  [u\ ,  1*2]  and 
case  analysis  of  its  last  rule.  The  proof  appeals  to  Theorem  4.10  and  a  lemma  about 
substitution  of  constraints.  See  Theorem  B.4  in  Appendix  B  for  details  of  the  lemma  as 
well  as  some  of  the  interesting  cases  of  the  proof.  □ 

Theorem  4.12  (Admissibility  of  cut).  The  following  two  properties  hold: 

1.  Suppose  that 

(a)  E;f;£;T  -^so[ui,  u2\  and 

(b)  X;  .E;  T,  s  o  [ui,u2\  ^  s'  o  [u^u^j 

Then  X;  'I';  E\  T  A-  s'  o  [u\ .  u'2}. 

2.  Suppose  that 

(a)  X;^;E;r|  ^so[Ul)«2] 

(b)  X;  \k;  E\  T,  k  claims  s  o  [ui,u2]  s'  o  [u\ .  u2\ 

Then  X;  4^;  E;  T  s'  o  [it) .  u2j. 

Proof.  By  a  simultaneous  lexicographic  induction,  first  on  the  size  of  the  cut  formula  s,  then 
on  the  order  (2)  >  (1),  and  finally  on  the  depths  of  the  two  given  derivations,  as  in  prior 
work  [43,  54,  113].  See  Theorem  B.6  in  Appendix  B  for  some  of  the  cases  of  the  proof.  □ 

Theorem  4.13  (Identity).  //X;\k  |=  u\  <  u\  and  X;\k  |=  u2  <  u2,  then  X;\k;E;r,  s  o 
[ui,u2\  ^  s  o  [u[,U2]. 

Proof.  By  induction  on  s.  The  base  case  where  s  is  an  uninterpreted  atom  follows  immedi¬ 
ately  from  rule  (init)  in  Figure  4.4.  The  base  case  where  s  is  an  interpreted  atom  is  shown 
below.  The  third  base  case  where  s  is  a  constraint  is  similar  to  it.  All  the  remaining  cases 
of  the  proof  follow  prior  work  on  p  logic  [54] . 

Case,  s  =  i.  To  show:  X;  'L;  E\  T,  i  o  [u\,u2]  —>  i  o  [u\ .  u2] ■ 


1.  X;  E,  i  (=  i 

((S-hyp)  from  §4.2.1) 

2.  X;  \k;  E,  i\  T,  i  0  [u1;  u2]  i  0  [u^,  u2] 

(Rule  (interL)  on  1) 

3.  X;  E;  T,  i  0  [u1;  A  i  0  [u^,  u'^\ 

(Rule  (inter R)  on  2) 

□ 
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4.2.6  Equivalence  of  Proof  Systems 

Despite  differences  in  inference  rules,  the  natural  deduction  system  and  the  sequent  cal¬ 
culus  for  BL  establish  exactly  the  same  hypothetical  judgments.  This  is  formalized  in  the 
following  theorem,  which  we  prove  by  simulating  the  rules  of  each  inference  system  in  the 
other.  Showing  that  each  rule  of  the  sequent  calculus  can  be  simulated  in  natural  deduction 
is  relatively  straightforward  -  the  right  rules  correspond  to  introduction  rules  directly,  and 
left  rules  are  easily  simulated  using  elimination  rules,  together  with  the  substitution  prin¬ 
ciple  (Theorem  4.5)  in  some  cases.0  Conversely,  for  simulating  elimination  rules  of  natural 
deduction  in  the  sequent  calculus,  we  appeal  to  admissibility  of  cut  (Theorem  4.12)  and 
identity  (Theorem  4.13). 

Theorem  4.14  (Equivalence).  The  following  are  equivalent. 

1.  E;  \k;  E\  T  —>  s  o  [141,7/2]  in  the  sequent  calculus. 

2.  E;  \k;  E;  T  h1'  s  o  [74,  tx2]  in  natural  deduction. 

Proof.  See  Appendix  B,  Theorem  B.7.  □ 

4.3  Use  of  BL  in  PCFS 

As  mentioned  in  §2,  the  logic  BL  is  used  to  express  authorization  policies  in  the  file  system 
PCFS  and  to  enforce  them.  This  section  discusses  briefly  how  files,  principals,  permissions, 
time  points,  and  policy  rules  are  represented  concretely  in  the  logic,  what  judgments  need 
to  proved  in  order  to  obtain  access,  and  how  PCFS  enforces  dynamism  in  policies  that  are 
either  time  sensitive  or  rely  on  system  state. 

Representation  of  principals,  time,  files,  and  permissions.  Although  the  theory  of 
BL  discussed  in  this  chapter  is  agnostic  to  the  concrete  representation  of  terms,  from  the 
perspective  of  an  implementation,  making  this  choice  is  important.  In  PCFS,  principals 
are  represented  in  one  of  two  ways:  either  as  symbolic  constants,  which  may  be  added 
to  a  special  declarations  file  that  is  protected  by  the  back  end  (see  §7  for  details),  or  by 
their  Linux  user  ids.  In  practice,  the  former  representation  is  used  for  principals  that  do 
not  correspond  to  any  real  users  (e.g.,  organizational  roles),  while  the  latter  is  used  for 
principals  that  do  (e.g.,  users  that  run  programs  and  access  files).  Access  permissions  are 
given  on  a  per-file  or  per-directory  basis  to  real  users. 

In  PCFS,  the  clock  of  the  reference  monitor  (file  system  back  end)  is  the  authority  on 
time;  all  time  points  in  logical  formulas  and  procaps  refer  to  this  clock.  Ground  time  points 
are  represented  in  absolute  form  as  YYYY:MM:DD:hh:mm:ss  that  can  be  abbreviated  to 
YYYY:MM:DD  when  hh:mm:ss  are  00:00:00.  The  parser  for  BL  converts  all  time  points 
to  integers  that  measure  seconds  from  a  fixed  reference  point.  The  exact  reference  point  is 
irrelevant  for  all  practical  purposes,  but  it  should  be  noted  that  the  precision  of  time  used 

Tt  is  possible  to  simulate  some  rules  of  the  sequent  calculus  rules  in  natural  deduction  by  using  the  rules 
(Dl)  and  (dE)  in  place  of  substitution.  See,  for  example,  Proposition  2.4  in  [16]. 
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in  PCFS  is  one  second.  Fractions  of  time  beyond  this  precision  are  rounded  down  whenever 
the  system  clock  is  read. 

In  addition  to  principal  and  time,  the  implementation  of  BL  in  PCFS  supports  two 
additional  sorts:  file  (for  file  and  directory  names)  and  perm  (for  permissions).  Ground  files 
and  directories  are  represented  by  their  full  path  names  relative  to  the  path  where  PCFS  is 
mounted.  Thus,  if  PCFS  is  mounted  at  /path/to/mountpoint,  then  the  file  /foo/bar  in 
any  BL  formula  refers  to  the  file  /path/to/mountpoint/f  oo/bar  in  the  file  system.  Making 
the  path  names  relative  to  the  mount  point  has  the  advantage  that  the  mount  point  can 
be  changed  without  having  to  change  existing  policy  rules,  proofs,  and  procaps.  It  has  the 
disadvantage  that  without  some  explicit  naming  convention,  there  may  be  confusion  among 
the  policy  rules  of  different  PCFS  file  systems  on  the  same  server. 

The  sort  of  permissions,  perm,  contains  five  ground  elements,  which  correspond  to  the 
five  permissions  that  PCFS  uses:  read,  write,  execute,  identity,  and  govern.  Permissions  read 
and  write  are  needed  to  read  and  change  a  file  or  directory  respectively,  whereas  execute  is 
needed  to  read  nreta-data.  The  remaining  two  permissions,  identity  and  govern,  are  described 
in  §7. 

Interpreted  Predicates.  PCFS  natively  supports  two  interpreted  predicates  in  BL: 
owner  f  k,  which  means  that  file  /  has  owner  k,  and  has  xattr  f  a  v,  which  means 
that  file  /  has  value  v  for  the  extended  attribute  user.^pcf s.a.6  Both  file  ownership  as 
well  as  extended  attributes  beginning  with  the  prefix  user.^pcfs.  are  specially  protected 
by  PCFS;  the  permission  govern  is  needed  to  change  them  (details  are  in  §7).  It  is  ex¬ 
pected  that  only  trusted  users  will  be  given  this  permission.  As  a  result,  file  ownership 
and  extended  attributes  starting  with  the  prefix  user.^pcfs.  can  be  used  to  classify  files 
in  a  secure  manner,  and  the  interpreted  predicates  owner  and  has  xattr  can  be  used  to 
reference  them  in  policy  rules,  as  illustrated  in  the  example  in  §4.3.3. 

Support  for  other  interpreted  predicates  can  be  added  to  BL’s  implementation  in  PCFS 
through  a  programming  API  provided  for  this  purpose.  As  a  convention,  we  write  inter¬ 
preted  predicates  in  boldface. 

Arithmetic  on  Time  and  Constraints.  The  implementation  of  BL  in  PCFS  supports 
simple  arithmetic  over  time  points  through  a  new  sort  exp  whose  elements  are  denoted  e. 
exp  includes  all  elements  of  time  via  a  coercing  function  symbol  and  in  addition  includes 
terms  of  the  forms  e\  +  e2,  ei  —  e2,  max(ei,e2),  and  min(ei,e2).  The  terms  in  exp  are 
interpreted  via  the  new  constraint  form  is  u  e,  which  means  that  the  simplification  of  e 
in  the  usual  arithmetic  sense  equals  u.  This  idea  of  making  simplification  of  arithmetic 
expressions  explicit  via  the  constraint  form  is  u  e  is  borrowed  from  logic  programming  in 
languages  like  Prolog.  It  should  be  noted  that  is  u  e  is  different  from  term  equality  in 
many  other  logics,  because  BL  does  not  allow  implicit  substitution  of  e  for  u  in  judgments 
even  if  is  u  e  holds.  Nonetheless  is  u  e  is  very  useful  for  representing  many  policies  of 
interest  in  BL,  including  those  in  §8. 

6An  extended  attribute  is  a  meta-data  field  on  a  file  or  directory  whose  value  can  be  set  by  users.  Many 
file  systems  including  XFS,  JFS,  ext3,  and  PCFS  support  extended  attributes. 
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4.3.1  Policies  and  Authorizations 

Following  past  work  on  proof-carrying  authorization,  we  assume  in  PCFS  that  formulas 
are  established  a  priori  by  digitally  signed  certificates.  In  PCFS,  it  is  assumed  that  every 
digitally  signed  certificate  is  valid  during  an  interval  of  time,  which  is  written  inside  the 
certificate  before  the  latter  is  signed.  This  is  consistent  with  what  common  certificate 
schemes  like  X.509  and  PGP  allow.  In  general,  if  principal  k  creates  a  certificate  that  is 
valid  during  the  interval  [u i ,  U2]  and  contains  the  formula  s,  then  this  is  represented  in  BL 
as  the  hypotheses  k  claims  s  o  [u\,U2\.  (Alternatively,  we  could  have  chosen  one  of  the 
equivalent  representations  ( k  says  s)  o  [ui,U2]  and  ( k  says  s )  @  [ui,U2\  o  [—00, +00],  but 
the  representation  we  use  is  most  convenient,  since  it  is  in  some  sense  the  simplest.) 

A  judgment  k  claims  s  o  [111,112]  established  by  a  signed  certificate  is  called  a  policy 
rule,  and  a  collection  of  such  judgments  is  called  a  policy.  The  top  level  hypotheses  T  in  all 
proof  search  and  verification  problems  in  BL  are  always  a  policy.  PCFS  also  requires  that 
a  unique  name  be  provided  for  each  policy  rule  in  the  certificate  that  establishes  the  rule; 
this  name  is  used  to  refer  to  the  rule  in  proofs  (§5). 

What  should  be  proved?  PCFS  assumes  the  existence  of  one  distinguished  principal, 
symbolically  denoted  admin,  who  has  the  ultimate  authority  on  access.  The  actual  identity 
of  admin  is  provided  to  PCFS  through  a  configuration  file,  which  we  discuss  in  §7.  In  order 
to  get  permission  77  on  file  /  at  time  u,  user  k  must  prove  that  the  policy  in  effect  entails 
the  defined  basic  judgment  auth(fc,  /,  77,  u),  where: 

auth (k,f,r],u)  =  admin  says  (may  k  f  rf)  o  [u,u] 

may  is  a  fixed  uninterpreted  predicate  taking  three  arguments,  and  u  is  the  time  of  access. 
(In  PCFS,  “time  of  access”  refers  to  the  time  at  which  access  checks  for  a  file  system  call 
are  initiated.)  [u,  u]  is  a  singleton  set  containing  exactly  the  time  point  u.  More  precisely, 
it  must  be  established  that  X;  •;  E;  T  \~v  auth(/c,  /,  ?y,  u ),  where: 

-  X  is  the  sorting  in  effect.  It  is  specified  through  a  signature  file  that  is  protected  by 
PCFS  (§7). 

-  E  is  the  state  of  the  file  system  at  the  time  u. 

-  r  is  the  policy,  evidenced  by  digitally  signed  certificates  as  described  earlier. 

-  v  is  a  view  made  of  three  fresh  constants. 

It  can  easily  be  seen  that  establishing  X;  •;  E;  T  \~u  auth(fc,  /,  77,  u)  is  equivalent  to  establish¬ 
ing  X;  •;  E:  T  may  k  f  1 70  [u,  u],  with  vq  =  admin,  u,  u  whenever  T  is  a  policy. 

4.3.2  Policy  Enforcement 

Although  the  use  of  the  time  interval  [u,  v\  in  the  judgment  to  be  proved  for  authorization 
takes  into  account  dependence  of  the  policy  on  explicit  time,  it  results  in  a  practical  problem: 
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how  is  the  time  of  access  u  to  be  determined  to  the  precision  of  a  second  at  the  time  that 
a  proof  is  constructed  or  verified,  both  of  which  happen  prior  to  access  in  PCFS  (§2)? 
Indeed,  determining  u  to  such  high  precision  in  advance  of  access  is  impossible  in  most 
settings.  Fortunately,  the  time  subsumption  principle  (Theorems  4.4  and  4.11)  can  be 
used  to  alleviate  the  problem  in  a  reasonable  way.  Instead  of  constructing  a  proof  of 
admin  says  (may  k  f  rj)  o  [u,u],  a  principal  desirous  of  access  may  construct  a  proof  of 
admin  says  (may  k  f  rj)  o  [111,112]  where  [u\,U2\  is  a  time  interval  that  contains  u.  If  this 
succeeds  then  the  time  subsumption  principle  guarantees  that  admin  says  (may  k  f  rj)  o  [u,  tt] 
is  also  provable,  hence  the  former  proof  also  witnesses  the  provability  of  the  latter.  In  fact, 
in  §5  we  extend  Theorem  4.4  to  show  that  the  same  proof  term  which  proves  admin  says 
(may  k  f  rj)  o  [111,112]  also  proves  admin  says  (may  k  f  rj)  o  [u,u].  Consequently,  the  exact 
time  of  access  u  need  not  be  known  at  the  time  of  proof  construction;  only  a  rough  estimate 
of  its  range  suffices.  The  proof  verifier  extracts  from  the  proof  the  interval  of  time  over 
which  it  is  valid  and  writes  the  interval  into  the  procap  it  generates.  The  back  end  of  PCFS 
ensures  that  the  time  of  access  u  is  in  this  interval.  The  process  of  extraction  of  the  time 
interval  from  a  proof  is  explained  in  §5  and  it  is  also  shown  formally  that  the  process  is 
sound. 

A  related  problem  arises  for  the  state  of  the  system  E  -  how  can  the  state  at  the  time 
of  access  be  estimated  during  proof  construction  or  verification?  To  address  this  problem, 
the  proof  search  tool  in  PCFS  requires  the  user  to  provide  selective  input  about  expected 
state  (§6),  and  the  verification  tool  simply  writes  every  interpreted  atom  it  encounters  in  a 
proof  to  the  procap  it  outputs.  The  back  end  then  checks  all  such  interpreted  atoms  at  the 
time  of  access  in  the  prevailing  state  (§5). 

4.3.3  Example:  Course  Administration 

We  illustrate  the  use  of  BL  through  a  simple  example  that  expresses  in  the  logic  a  policy 
for  access  to  class  homework  directories  in  a  hypothetical  university  UV.  Assume  that 
UV  provides  all  class  instructors  storage  space  on  a  central  server  that  can  be  used  to 
collect  homeworks  from  students.  A  principal  called  registrar  decides  the  instructor  of 
each  class  as  well  its  teaching  assistants  (TAs)  and  students,  expressed  formally  by  the 
predicates  (is- instructor  k  class),  (is-ta  k  class),  and  (is-student  k  class)  respectively.  A 
separate  principal  di  rad  min  assigns  directories  on  the  central  server  to  classes;  the  predicate 
(is-dir  dir  class)  means  that  directory  dir  has  been  assigned  to  class.  Each  directory  is 
assumed  to  have  an  extended  attribute  user. ^pcfs. state  which  determines  who  is  allowed 
to  read  and  write  the  directory.  Possible  values  of  this  extended  attribute  are: 

A.  prep,  meaning  that  the  contents  of  the  directory  are  being  prepared.  In  this  state  only 
the  TAs  have  read  and  write  access  to  the  directory. 

B.  submission,  meaning  that  the  homework  in  the  directory  is  active.  In  this  state  all 
registered  students  can  read  and  write  the  directory.' 

'We  side-step  the  issue  of  having  a  separate  homework  submission  directory  for  each  student,  so  strictly 
speaking,  in  this  example,  students  will  be  able  to  read  and  write  each  others’  homeworks.  This  can  be 
easily  avoided  by  modifying  the  formalization. 
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C.  done,  meaning  that  homework  submission  to  the  directory  has  been  closed.  In  this 
state  only  the  TAs  have  read  access  to  the  directory. 

The  value  of  the  attribute  user. #pcfs. state  can  only  be  changed  by  the  instructor  of  the 
class  to  which  the  directory  is  assigned.  This  instructor  always  has  both  read  and  write 
permissions  to  the  directory.  Assuming  that  the  principal  admin  has  final  control  over 
determining  access  to  directories  on  the  central  server,  and  that  (may  k  d  rj)  means  that 
principal  k  has  permission  i]  on  directory  d,  the  policy  rules  for  access  are  shown  in  rules 
(l)-(8)  in  Figure  4.6. 

Rule  (1)  states  that  the  instructor  k  of  a  class  l  may  read  any  directory  d  associated  with 
the  class.  The  annotation  o  [— oo,  +oo]  on  this  rule  as  well  as  on  others  means  that  the  rule 
applies  at  all  points  of  time.  Rule  (2)  is  similar,  except  that  it  authorizes  write  access.  Rule 
(3)  allows  a  TA  k  of  class  l  to  read  a  directory  d  associated  with  the  class  if  the  extended 
attribute  user. #pcfs. state  on  the  directory  has  been  set  to  prep.  Rule  (4)  is  similar;  it 
allows  write  access  to  TAs.  Rules  (5)  and  (6)  allow  students  to  read  and  write  directories 
in  the  state  submission.  Rule  (7)  allows  TAs  to  read  directories  in  state  done.  The  salient 
point  to  observe  in  rules  (3)-(7)  is  the  use  of  the  interpreted  predicate  has  xattr,  which 
guarantees  the  properties  mentioned  in  (A)-(C)  above. 

Rule  (8)  allows  the  instructor  of  a  class  the  authority  to  change  the  extended  attributes 
of  any  directory  associated  with  the  class  (and  hence  influence  which  of  the  rules  (3)-(7)  will 
apply  to  the  directory),  by  giving  her  the  govern  permission.  An  important  observation  is 
that  this  authorization  policy  does  not  restrict  the  instructor’s  use  of  the  govern  permission 
to  setting  the  attribute  user. #pcfs. state  in  the  specific  order  prep  — ►  submission  — ►  done. 
Instead  we  trust  the  instructor  to  follow  this  protocol  correctly. 

As  a  specific  instance  of  the  use  of  this  policy,  let  us  assume  that  Alice  is  instructor  for 
class  cslOl  from  August  20,  2009  to  December  20,  2009.  This  would  be  established  by  a 
certificate  from  registrar,  who  would  constrain  its  validity  to  exactly  this  interval  of  time.  In 
BL,  this  certificate  would  be  reflected  as  the  judgment  (9)  in  Figure  4.6.  Further  suppose 
that  Terence  is  appointed  TA  for  cslOl  for  the  period  September  01,  2009  to  September 
30,  2009.  This  may  be  represented  by  judgment  (10).  Finally  assume  that  a  directory 
cslOldir  has  been  assigned  to  the  class  for  the  latter’s  duration  (judgment  (11)),  and  that 
on  September  15,  2009,  the  attribute  user. #pcfs. state  on  the  directory  cslOldir  has  value 
prep. 

Then,  it  is  quite  easy  to  prove  using  the  rules  of  the  sequent  calculus  that  the  policy 
rules  (4),  (10),  and  (11)  from  Figure  4.6  entail  the  following  judgment  for  any  time  point 
u  in  the  interval  September  01,  2009  -  September  30,  2009,  provided  that  the  attribute 
user. ^pcfs. state  on  cslOldir  is  set  to  prep,  thus  allowing  Terence  to  write  cslOldir  at  any 
such  time  u. 

(admin  claims  (may  Terence  cslOldir  write))  o  [u,u] 

What  is  more  interesting  here  is  that  the  judgment  cannot  be  proved  if  either  u  is  not  in 
the  interval  September  01,  2009  -  September  30,  2009,  or  the  attribute  user. #pcfs. state 
on  cslOl  does  not  have  the  value  prep.  This  illustrates  how,  through  its  combination  of 
interpreted  predicates,  constraints,  and  explicit  time,  BL  is  able  to  express  dynamic  policies 
that  rely  on  both  system  state  as  well  as  time. 
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General  rules: 

admin  claims  Vfc,  d ,  l. 

(1)  (((diradmin  says  (is-dir  d  l ))  A  (registrar  says  (is-instructor  fc  l ))) 

D  may  k  d  read)  o  [— oo,+oo] 

admin  claims  Vfc,  d,  l. 

(2)  (((diradmin  says  (is-dir  d  l))  A  (registrar  says  (is-instructor  fc  l ))) 

D  may  fc  d  write)  o  [— oo,+oo] 

admin  claims  Vfc,  d,  l. 

(3)  (((diradmin  says  (is-dir  d  l ))  A  (registrar  says  (is-ta  fc  l)) A 

(has  xattr  d  state  prep))  D  may  fc  d  read)  o  [—  oo,  +oo] 

admin  claims  Vfc,  d ,  l. 

(4)  (((diradmin  says  (is-dir  d  /))  A  (registrar  says  (is-ta  fc  l)) A 

(has  xattr  d  state  prep))  Z>  may  fc  d  write)  o  [— oo,+oo] 

admin  claims  Vfc,  d,  l. 

(5)  (((diradmin  says  (is-dir  d  1))  A  (registrar  says  (is-student  fc  1))A 

(has  xattr  d  state  submission))  D  may  fc  d  read)  o  [— oo,+oo] 

admin  claims  Vfc,  d,  l. 

(6)  (((diradmin  says  (is-dir  d  l ))  A  (registrar  says  (is-student  fc  £))A 

(has_xattr  d  state  submission))  D  may  fc  d  write)  o  [—  oo,+oo] 

admin  claims  Vfc,  d,  l. 

(7)  (((diradmin  says  (is-dir  d  1))  A  (registrar  says  (is-ta  fc  Z))A 

(has_xattr  d  state  done))  D  may  fc  d  read)  o  [— cjo,+oo] 

admin  claims  Vfc,  d,  l. 

(8)  (((diradmin  says  (is-dir  d  1))  A  (registrar  says  (is-instructor  fc  l))) 

D  may  fc  d  govern)  o  [— oo,+oo] 

Rules  specific  to  an  instance: 

(9)  registrar  claims  (is-instructor  Alice  cslOl)  o  [2009:08:20,2009:12:20] 

(10)  registrar  claims  (is-ta  Terence  cslOl)  o  [2009:09:01,2009:09:30] 

(11)  diradmin  claims  (is-dir  cslOldir  cslOl)  o  [2009:08:20,2009:12:20] 


Figure  4.6:  Policy  rules  for  access  to  class  directories 


A  large  case  study  on  the  use  of  BL  for  controlling  access  to  classified  information  that 
is  based  on  ideas  similar  to  those  in  this  example  is  presented  in  §8.  Other  examples  of  the 
use  of  explicit  time,  but  not  interpreted  predicates,  in  the  context  of  authorization  may  be 
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found  in  prior  joint  work  of  the  author  [54] . 


4.4  Justification  for  the  Use  of  Time  Points  in  BL  Views 

In  generalizing  the  logic  from  BLg  to  BL  we  have  also  generalized  views  from  being  principals 
&o  to  triples  ko ,Ub,ue.  The  question  is  whether  this  generalization  is  necessary.  More 
precisely,  can  we  systematically  erase  the  time  points  Ub,  ue  from  views  in  all  rules  of  the 
sequent  calculus  (Figures  4.4  and  4.5),  and  work  with  the  resulting  logic? 

From  the  perspective  of  proof  theory  there  is  no  problem  with  this  new  logic.  Its  proof 
theory  is  simpler  than  that  of  BL  and  analogues  of  theorems  of  §4.2.5  are  admissible  in 
it.  The  problem  with  the  logic  lies  in  its  expressiveness  -  it  admits  the  following  sequent 
(which  BL  does  not  in  general). 

X;  •;  •;  k  claims  (s  @  [iq,  U2])  o  [14^,  u'2\  k  says  s  o  [u\,  142] 

Put  more  succinctly,  the  formulas  (k  says  ( s  @  [141,142]))  @  [<A  i  ?-4]  and  (k  says  s)  @  [141,142] 
are  equivalent  in  the  logic.  As  an  example  of  the  consequences  of  this  expressiveness,  suppose 
that  principal  admin  signs  the  formula  (may  Alice  foo.txt  read)  @  [2009:01:01,2009:12:31], 
i.e.  a  formula  that  allows  Alice  access  throughout  2009,  and  puts  it  in  a  certificate  that  is 
valid  during  the  interval  [2009:01:01,2009:06:30].  Note  that  the  certificate  itself  expires  on 
June  30,  2009.  According  to  the  description  in  §4.3,  this  certificate  would  be  reflected  in 
the  logic  as  the  hypothesis: 

admin  claims  ((may  Alice  foo.txt  read)  @  [2009:01:01,2009:12:31])  o  [2009:01:01,2009:06:30] 

Now  we  ask  the  question:  Given  this  and  only  this  hypothesis,  should  Alice  be  allowed 
to  read  foo.txt  on  September  01,  2009  at  00:00:00  hours?  Or  equivalently,  should  this 
hypothesis  entail  the  judgment 

admin  claims  (may  Alice  foo.txt  read)  o  [2009:09:01,2009:09:01] 

If  we  use  BL,  the  answer  would  be  no,  as  can  easily  be  proved  using  the  sequent  calculus. 
However,  if  we  were  to  use  the  modified  logic,  the  answer  would  be  yes  -  the  required  entail- 
rnent  is  an  instance  of  the  sequent  shown  earlier,  followed  by  one  use  of  time  subsumption. 

The  question  then  is  which  of  the  two  answers  is  correct  -  should  Alice  be  allowed  the 
access  or  not?  In  this  case  it  seems  that  BL’s  answer  is  the  correct  one.  Since  admin’s 
certificate  expires  on  June  30,  2009  and  nothing  in  the  policy  explicitly  allows  the  use  of  an 
expired  certificate,  a  proof  constructed  from  the  admin’s  certificate  should  not  be  acceptable 
on  September  01,  2009.  It  is  for  this  reason  -  to  prevent  implicit  use  of  expired  certificates 
and  to  take  into  account  the  validity  of  a  certificate  even  if  the  content  of  the  certificate 
mentions  another  time  interval  -  that  we  choose  to  keep  the  time  points  Ub,  ue  in  the  views 
in  BL.  In  settings  where  this  is  not  desirable,  the  other  logic  obtained  by  dropping  time 
points  from  views  may  be  more  appropriate. 
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4.5  Proof  Normalization 

The  subject  of  this  section  is  orthogonal  to  the  rest  of  the  thesis  and  the  disinclined  reader 
may  skip  it  without  a  break  in  continuity. 

We  show  that  every  natural  deduction  proof  can  be  reduced  to  a  proof  in  canonical 
form.  The  latter  are  a  subclass  of  proofs.  Reduction  of  a  proof  to  a  canonical  form  is 
called  proof  normalization.  Although  not  directly  useful  in  PCFS,  it  is  an  important  proof- 
theoretic  result.  Canonical  proofs  also  lead  to  bidirectional  proof  verification,  which  is  used 
in  PCFS  (§5).  An  interesting  aspect  of  our  proof  of  the  existence  of  canonical  proofs  is 
the  use  of  the  sequent  calculus  and  its  equivalence  to  natural  deduction  (Theorem  4.14) 
instead  of  the  usual  approach  of  defining  a  proof  rewrite  system  such  as  /3-reduction,  and 
showing  that  it  always  terminates.  The  technical  material  in  this  section  is  a  generalization 
of  similar  work  for  other  logics  [114,  119,  145]. 


What  is  a  canonical  proof?  By  a  canonical  proof  we  mean  a  natural  deduction  proof 
that  has  no  /3-redexes  and  to  which  commuting  conversions  have  been  applied  to  the  maxi¬ 
mum  possible  extent.  Both  /3-redexes  and  commuting  conversions  are  informally  explained 
below,  and  canonical  proofs  are  formally  defined  later. 

A  /3-redex  is  a  locus  in  a  proof  where  the  principal  formula  of  an  elimination  rule  is 
established  using  an  introduction  rule.  For  example,  consider  a  proof  which  ends  as  shown 
below.  This  proof  has  a  /3-redex  since  the  formula  k  says  s  is  introduced  using  the  rule  (saysl) 
and  immediately  eliminated  using  the  rule  (saysE).  Due  to  the  presence  of  this  j3- redex  the 
proof  is  not  canonical. 


V 


S;T;E;r|  hfc’M1’"2  so  [Ul,u2} 
E;  T;  E]  T  \-u  k  says  s  o  [rq,  u2] 


saysl 


£ 

E;  T;  E\  T,  k  claims  s  o  [iq,  u2]  Pro  [u^,  u'2] 


saysE 


E;  L^PPro  [u'x,u'2\ 


This  /3-redex  can  be  eliminated  by  applying  Theorem  4.6  to  the  derivations  V  and  £. 

A  commuting  conversion  is  a  proof  transformation  that  allows  let-like  elimination  rules, 
i.e.  all  elimination  rules  except  (AEi),  (AE2),  (dE),  and  (VE),  to  be  pushed  outside  of  other 
elimination  rules.  For  instance  consider  the  following  proof  in  which  the  rule  (saysE)  is  used 
to  prove  a  judgment  that  is  principal  in  the  rule  (AEi). 

V  £ 

E;  T;  E;  V  b"  k  says  r  o  [iq,  u'2\  E ;  4';  E;  T,  fc  claims  r  o  [iq,  u2\  b"  si  A  s2  o  [ui,  U2] 

E;  T ;  E;  r  h"  si  A  s2  o  [iq ,  u2]  A  1 

- savsh 

E;  T;  E;  r  h"  Si  o  [iq,u2] 


A  commuting  conversion  may  be  applied  to  rotate  the  two  rules,  resulting  in  the  following 
proof. 


V 

E;  T;  E]  T  b"  k  says  r  o  [1^,  u'2\ 


£ 


E;  T;  E;  T,  k  claims  r  o  [uj,  m2]  h"  si  A  s2  o  [iq,  u2] 
E;  T;  E\  T,  k  claims  r  o  [itj,  u2]  h1'  s  1  o  [rq,  u2] 

E;  4';  E;  T  h"  si  o  [rq,  u2] 


AEi 

saysE 
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E;4x;E;r  h"  s  o  [m1;m2]  JJ-  E;  4'  |=  m  <  u\  E;  4^  \=  u'2  <  m2 

4^;  £7;  T,  s  o  [mi,m2]  \~v  s  o  [u1,u2]  -If  yP 

v  =  k,  Mb,  ue  E;  4x  |=  Mi  <  Mb  E;  ’L  |=  ue  <  m2  E;  4'  |=  k!  y  k 

- - - - - - — - - - - - - claims 

E;4/;E;r,  fc  claims  s  o  [m!,m2]  h  so[mi,m2]H 

S;4-;E;r|  bfe“  So[M1;M2]t 

- b - r - - —  saysl 

E;  4x;  E;  T  h  k  says  s  o  [mi,  m2]  If 


E;  4';  E;  T  h"  k  says  s  o  [m1;  m2]  11  E;  4x;  E ;  T,  fc  claims  s  o  [mi,  m2]  L"  s'  o  [m(,  m2]  If 

E;  4' ;  S;  r  s'  o  [m(  ,  m2]  If 


saysE 


S;  4>;  -E;  T  1-^  s  o  [mi,  m2]  if 
E;  4»;  E;  T  h"  (s  @  [mi,m2])  o  [m^m^]  if  ~ 

E;  4';  E;  T  L"  s  @  [mi,m2]  o  [m^m^]  -If  E;4f;E;T,  s  o  [mi,m2]  s'  o  [m",m2]  if 


_ s;^hc _  T 

- cons  I 

E;vt;E;rrCoK,U2]t 

E;$;E;T  P  co  [mi,  m2]  If  E;  4g  c;  E;  T  h"  s'  o  [m^,  m2]  If 
- — - - — ; — — — — - consE 

E;  4';  E;  T  h  s'  o  [u',  «']  If 


E;E  |=  i 

- - t - ; —  interl 

E;4>;E;ri-  i  o  [mi  ,  m2]  if 

E;  4>;  E;T  h" i o  [mi,  m2]  If  E;  4»;  E,  i;  T  h"  s'  o  [u[,  u'2\  If 
- — 7 — — rr - mterb 

E;LE;rP  s'  o  [mi,  u'2\  if 


Figure  4.7:  BL:  Canonical  and  atomic  proofs,  part  1 


Formal  definition.  Formally,  we  characterize  canonical  proofs  using  two  judgments  5H;  \P; 
E;r  P  s  o  [u\,U2]  if  and  E;\I';E;r  h1'  s  o  [it  1,7x2]  fl  that  are  defined  by  the  mutually 
inductive  rules  in  Figures  4.7  and  4.8.  The  judgment  S;  \F;  T  h1'  s  o  [117,112]  if  means 
that  E;4';-E;r  h"  s  o  [111,112]  has  a  canonical  proof  whereas  £;Vl/;.E;r  h"  s  o  [111,1x2]  f! 
means  that  £;  E;T  \~u  s  o  [111,1x2]  has  what  we  call  an  atomic  proof.  Atomic  proofs  are 
an  auxiliary  class  of  proofs  that  we  need  to  define  canonical  proofs. 

The  rules  defining  these  judgments  are  similar  to  those  of  natural  deduction  (Figures  4.2 
and  4.3),  and  are  also  named  similarly.  The  obvious  differences  are:  (a)  One  of  the  symbols 
if  and  If  is  placed  at  the  end  of  each  hypothetical  judgment,  (b)  There  is  a  new  rule  (Jj-lf) 
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E;  4q  E]  T  h"  s i  o  [ui,u2]  it  b"  s2  °  [ui,u2]  ft 

S;  4';  E\  V  \-u  Si  A  s2  o  [tq,  u2]  ft 


h"  si  A  s2  o  [ui,u2\  4- 

s^^rb^o^^ft  1 

S;  4';JB;r  by  Si  o  [Mi,m2]  If 
- V1 1 

E;  4 E;  T  b"  Si  V  s2  o  [iq,  u2]  it 


E;4';£;n-i's1As2o  [iti ,  zt2]  4-  A_ 

- AJi/9 

E-,*-,E-,rhv  fl2o[Ul,«2]^ 

E^-EfT  b*  s2  o  [m,u2]  ft  ^ 

E;  4ft  E;  r  b"  si  V  s2  °  [ui,u2]  If  2 


E;4';£;rb1'siVs2o  [zii , za2]  4- 

£;  4b  -E;  T,  Si  o  [m,n2]  h"  s'  o  [ui,u2]  if  S;  4>;  E\  Ift  s2  o  [m,n2]  ^  s'  o  [u'^u^]  If 

S;  4';  E]  F  \~u  s'oK^lf 


E^i^rPToK^t 


TI 


E;$;£;rPlo[«i,M2HiE 

^^^rb"  s  o  [«i ,  u2\  if 


E,  xptime,  x2:time;  4ft  u±  <  x\,x2  <  u2\  E\  Ift  Si  o  [xi,x2]  b"  s2  o  [xi,  x2\  if 
E;4’;£;rb'/si3s2o  [ui,  u2]  ft 


Dl 


E;  4';  i5;  r  b "  Si  D  s2  o  [ui,u2]  ft 

E;  4»;  E\  T  h"  sx  o  [uf,  u'2\  If  E;  4»  |=  m  <  u[  E;  4<  |=  u'2  <u2 

- r  i 

E;  4ft  E\  r  b"  s2  o  [v!^  u2]  ft 


E,  x:cr;  4';  E;  T  h1'  s  o  [u\,  u2]  if  E;  4ft  E\  T  \-1'  \/x:a.s  o  [iq,  u2]  4-  Ebt:<r 

- VI  - VE 

E;  4ft  E\  T  b  Vx:cr.s  o  [iq,  u2\  if  E;  4*;  E ;  T  b"  s[t/x ]  o  [tq,  u2]  ft 


E;  4ft  E;  T  b v  s[t/x\  o  [zq,  u2]  If  E  b  t  :  <7 
E;  4ft  E;  T  b"  3x:cr.s  o  [zq,tt2]  If 

E;  4ft  E;  T  b"  3x:<t.s  o  [iq,  u2]  4-  E,  x:<j;  4';  E;T,s  o  [tq,  u2\  b "  s'  o  [rtf,  u'2]  If 
- 3E 

E;  4';  E;  T  b1'  s'  o  [tq,u2]  ft 


Figure  4.8:  BL:  Canonical  and  atomic  proofs,  part  2 


which  coerces  from  atomic  proofs  to  canonical  proofs,  and  (c)  In  the  rules  (hyp)  and  (claims) 
the  principal  hypothesis  and  the  conclusion  are  true  on  the  same  time  interval.  Change  (c) 
is  motivated  by  a  desire  to  be  able  to  bidirectionally  check  canonical  proofs.  This  should 
become  clear  in  §5.  Observe  the  following: 

1 .  Every  introduction  rule  results  in  a  canonical  proof,  and  its  principal  premise  requires 
a  canonical  proof. 

2.  Every  let- like  elimination  rule  results  in  a  canonical  proof. 

3.  The  rules  (hyp),  (claims),  (AEi),  (AE2),  (dE),  and  (VE)  result  in  atomic  proofs. 
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4.  The  principal  premise  of  every  elimination  rule  must  be  atomic. 

5.  The  rule  (IJ-fl')  allows  atomic  proofs  to  be  treated  as  canonical,  but  there  is  no  rule  to 
coerce  canonical  proofs  to  atomic  proofs. 

(1),  (4),  and  (5)  imply  that  a  canonical  proof  has  no  /3-redexes.  Further,  (2)  and  (4)  imply 
that  in  every  canonical  proof  commuting  conversions  have  been  fully  applied. 

Properties  of  canonical  and  atomic  proofs.  The  most  obvious  property  of  canonical 
and  atomic  proofs  is  that  each  hypothetical  judgment  that  has  an  atomic  or  canonical  proof 
also  has  a  natural  deduction  proof.  This  is  fairly  easy  to  prove  by  induction  on  atomic  and 
canonical  proofs. 

Theorem  4.15  (Injection).  The  following  hold. 

1.  If  E;  'L;  E;  T  \~u  s  o  [u\,  uf\  JJ-  then  E;  'L;  E\  T  \~u  s  o  [ui,  u2]. 

2.  If  E;  ip;  E;  T  \~u  s  o  [14,  u2]  fl  then  E;  \P;  E;  T  \~u  s  o  [«i,  zt2]. 

Proof.  By  simultaneous  induction  on  given  derivations,  and  case  analysis  of  the  last  rules  in 
them.  The  cases  of  (hyp)  and  (claims)  rely  on  property  (C-refl-time)  from  §4.2.1,  whereas 
the  case  of  (-ilfi)  uses  Theorem  4.4.  □ 

The  following  analogue  of  the  view  subsumption  (Theorem  4.3)  is  straightforward. 

Theorem  4.16  (View  subsumption).  Suppose  the  following  hold: 

1.  v  =  ko,Ub,ue  and  1/  =  kf,  ru'b,  u'e 

2.  E;  'P  |=  fco  k'0,  E;  'P  |=  Ub  <  u'b,  and  E;  *P  |=  u'e  <  ue 
Then, 

A.  E \~v  s  o  [ui,u2]  1).  implies  E;\P;  E;T  \~u  s  o  [«i,u2]  If  by  a  derivation  of 
shorter  or  equal  depth. 

B.  E;  \P;  iT;  T  \~u  s  o  [«i,u2]  -f|-  implies  E;  VP;  T  \~u  s  o  [ui,u2]  f| '  by  a  derivation  of 
shorter  or  equal  depth. 

Proof.  By  simultaneous  induction  on  given  derivations  in  A  and  B,  and  case  analysis  of 
the  last  rule.  The  case  where  the  derivation  in  A  ends  in  (claims)  uses  the  assumptions 
(C-trans-time)  and  (C-trans-prin)  from  §4.2.1,  as  in  the  proof  of  Theorem  4.3.  □ 

Next  we  consider  the  analogue  of  time  subsumption  (Theorem  4.4)  for  canonical  proofs. 
Since  in  the  rules  (hyp)  and  (claims)  of  Figure  4.7  we  require  that  the  time  interval  in  the 
hypothesis  and  that  in  the  conclusion  match,  time  subsumption  does  not  hold  for  atomic 
proofs.  However,  the  rule  (JJ-'fl)  allows  subsumption  with  respect  to  time  intervals,  as  a 
result  of  which  canonical  proofs  admit  time  subsumption,  as  formalized  by  the  following 
theorem. 
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Theorem  4.17  (Time  subsumption).  Suppose  the  following  hold: 

1.  Kso  [ui,u2\  t 

2.  E;  'L  |=  u\  <  un  and  E;  \k  |=  um  <  u2 
Then  E;  E\  T  h"  s  o  [un,  um]  f|' 

Proof.  By  induction  on  the  depth  of  the  given  derivation  of  E;  'L;  E;  T  \~v  s  o  [ui,u2]  fi  and 
case  analysis  of  its  last  rule.  The  case  where  the  derivation  ends  in  rule  (saysl)  uses  view 
subsumption  (Theorem  4.16).  In  the  case  where  the  derivation  ends  in  rule  (Dl),  a  lemma 
about  substitution  of  constraints  is  needed.  See  Appendix  B,  Theorem  B.9  for  details.  □ 

Both  atomic  and  canonical  proofs  are  closed  under  substitution  by  atomic  proofs  (next 
theorem).  However,  substitution  of  a  canonical  proof  for  a  hypothesis  may  result  in  creation 
of  a  /3-redex  or  a  new  commuting  conversion,  and  hence  atomic  and  canonical  proofs  are 
not  closed  under  substitution  by  canonical  proofs. 

Theorem  4.18  (Substitution).  Suppose  E;\H;.E?;r  h1'  s  o  [ u\,u2 ]  JJ..  Then  the  following 
hold. 

1.  E;  \H;  E;  T,  s  o  [m,  u2 ]  Pro  [u'i,u2]  JJ-  implies  E;  \k;  E\  T  P"  r  o  [u^u'fi  JJ-. 

2.  E;  \P;  E;  T,  s  o  [u\,  u2\  Pro  [u\,  u'2]  ft  implies  E;  \P;  E\  T  P"  r  o  [u\,  u'2]  ft- 

Proof.  By  simultaneous  induction  on  derivations  given  in  (1)  and  (2),  and  case  analysis  of 
their  last  rules.  □ 

Proof  Normalization.  Finally,  we  show  that  if  a  hypothetical  judgment  has  a  natural 
deduction  proof,  then  it  also  has  a  canonical  proof.  By  Theorem  4.14  we  know  that  every 
natural  deduction  proof  can  be  simulated  in  the  sequent  calculus.  Given  this  fact,  it  suffices 
to  show  that  every  provable  sequent  has  a  canonical  proof. 

Theorem  4.19  (Normalization).  Suppose  E;  \T;  £1;  T  P  so  \ui,u2]  in  natural  deduction. 
Then  E;  $;  £J;rPso  [«i,  fp 

Proof.  By  Theorem  4.14  it  suffices  to  show  that  E;  E]  T  Aso  [u\,  m2]  implies  E;  'L;  E-,  T  P v 
s  o  [ui,u2]  f|'.  This  can  be  proved  by  induction  on  the  depth  of  the  given  sequent  calculus 
proof  and  a  case  analysis  of  its  last  rule,  making  considerable  use  of  Theorem  4.18.  See 
Appendix  B,  Theorem  B.10  for  details  of  some  representative  cases.  JJ 

Since  both  the  simulation  of  natural  deduction  in  the  sequent  calculus  (Theorem  4.14) 
and  the  simulation  of  the  sequent  calculus  by  canonical  proofs  (Theorem  4.19)  are  estab¬ 
lished  constructively,  there  is  an  algorithm  that  converts  a  natural  deduction  proof  to  a 
canonical  proof.  This  algorithm  may  be  obtained  by  converting  the  inductive  cases  in  the 
proofs  of  the  two  theorems  to  clauses  of  declarative  programs.  This  algorithm  is  easy  but 
tedious  to  describe,  and  since  it  does  not  provide  any  new  insights,  we  omit  its  details. 
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4.6  Relation  between  BL^  and  BL 

So  far,  we  have  not  described  how  the  two  logics  BLg  (§3)  and  BL  are  related.  Using  the 
sequent  calculus  for  BL  it  is  easy  to  show  that  axiom  (C)  of  BLg  (§3.1.1)  is  not  admissible 
in  BL,  so  BL  is  not  a  conservative  extension  of  BLg.  What,  then,  is  the  relation  between 
the  two  logics?  In  this  section  we  present  two  results  in  this  regard.  First  we  show  that  the 
translation  from  BL  to  BLg  that  erases  time  intervals,  constraints,  and  interpreted  atoms 
maps  provable  hypothetical  judgments  to  provable  ones.  In  this  sense  BL  is  a  generalization 
of  BLg.  Second  we  show  that  there  is  a  simple  embedding  of  BLg  in  BL  that  preserves 
provability  and  unprovability  of  sequents. 

Translation  from  BL  to  BLg.  Figure  4.9  defines  a  translation  |  •  |  from  BL  to  BLg  that 
maps  constraints  and  interpreted  atoms  to  T  and  erases  @  connectives  as  well  as  suffixes 
o  [ui,v,2\.  (To  avoid  having  to  translate  sorts,  we  assume  that  time  is  a  sort  in  BLg  but 
do  not  assume  any  specific  properties  of  it.)  As  the  following  theorem  states,  the  image 
of  a  sequent  provable  in  BL  is  also  provable  in  BLg,  if  we  assume  that  constraints  of  the 
form  k  y  k'  do  not  appear  in  \F,  T,  and  the  conclusion.  This  restriction  is  needed  to 
incorporate  the  fact  that  the  order  y  among  principals  in  BLg  is  statically  fixed,  which 
may  not  be  the  case  in  BL  in  general.  For  instance  if  principals  k  and  k'  are  unrelated  in 
BLg,  then  even  though  (k  >z  k')  D  ((k  says  s)  D  ( k '  says  s))  is  provable  in  BL,  its  translation 
T  D  ((&  says  rsn)  D  ( k '  says  rsn))  may  not  be  provable  in  BLg.  Along  the  same  lines,  the 
theorem  assumes  that  S';  \F7  |=  k  y  k'  in  BL  implies  Y'  b  k  y  k'  in  BLg,  whenever  \F7  does 
not  have  y  in  it. 

Theorem  4.20  (Soundness  of  translation).  Suppose  that  the  constraint  constructor  y  does 
not  appear  in  either  *F,  T,  or  s  and  further  suppose  that  for  every  k,  k' ,  Y'  and  \F/  not 
containing  y,  Y';  \F'  |=  k  y  k ’  in  BL  implies  Y’  h  k  y  k!  in  BLg  ■  Then  provability  of 
E;  \F;  E\  T  so  [u\,  it2]  in  BL  implies  provability  of  |E;  'F;  E\  T  —>  s  o  [u\,  u2]|  in  BLg. 

Proof.  By  induction  on  the  given  derivation  of  E;\F;E;r  ^so  [iti,u2]  and  case  analysis 
of  its  last  rule.  □ 

Embedding  BLg  in  BL.  Figure  4.10  shows  a  translation  r-n  from  BLg  to  BL  that  we 
claim  is  an  embedding.  The  translation  puts  the  suffix  @  [—00,  +00]  inside  the  condition 
of  every  implication  and  adds  the  suffix  o  [—00,  +00]  to  every  basic  judgment  of  BLg.  This 
remarkably  simple  translation  preserves  provability,  as  the  following  theorem  states.  The 
key  observation  in  the  proof  of  the  theorem  is  that  because  of  the  suffix  @  [—00,  +00]  inside 
every  implication,  it  can  be  ensured  that  all  intervals  on  basic  judgments  in  the  hypotheses 
in  the  proof  of  a  translated  sequent  remain  [—00, +00]. 

Theorem  4.21  (Correctness  of  embedding).  Suppose  that  for  every  k,  k! ,  Y' ,  and  \F'  not 
containing  y,Y']^f'\=kyk'  in  BL  if  and  only  if  Y’  F  k  y  k'  in  BLg.  Then,  Y\  T  b  s  is 
provable  in  BLg  if  and  only  if  rE;  F  is  provable  in  BL. 
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Formulas  s 


\p\ 

=  p 

K 

=  T 

c 

=  T 

Si  A  s2| 

=  si  A  |s2| 

si  V  s2 

=  si  V  s2 

|«i  D  S2I 

=  |si|  A  |s2 

m 

=  T 

I-LI 

=  _L 

Vx:<r.s 

=  \/x:a.  s 

3x:(t.s| 

=  Bauer.  s 

\k  says  s 

=  k  says  s| 

| S  @  [U1,U2}\ 

=  N 

Basic  Judgments  J 

| s  O  [ui,u2}\ 

=  |s  true 

\k  claims  s  0  [rti, u2]| 

=  k  claims 

Hypotheses  T 

\Jli  •  •  •  1  Jn\ 

=  \Ji 

Views  v 

I  h  5  ^65  | 

=  k0 

Sequents 

|E;tf;E;rASo[UljU2]|  =  E;  |F|  ^  |s 


Figure  4.9:  Translation  |  •  |  from  BL  to  BLg 


Proof.  The  “if”  direction  follows  from  the  observation  that  |rS;  T  -^b  sn|  =  E;T  — b  s.  So 
if  rS;r  -^b  is  provable  in  BL,  then  by  Theorem  4.20,  |rS;T  -^b  sn|  is  provable  in  BL^, 
or  equivalently,  E;  T  — b  s  is  provable  in  BL,s. 

Proof  of  the  “only  if”  direction  follows  by  an  induction  on  the  depth  of  the  given  BL5 
derivation  of  E;  P  -^b  s  and  a  case  analysis  of  its  last  rule.  See  Appendix  B,  Theorem  B.ll 
for  some  of  the  interesting  cases.  O 
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Formulas  s 


rp1 

= 

P 

rsi  A  s2n 

= 

rsin  Ars2n 

rSl  V  S2n 

= 

rsin  V  rs2n 

r-Si  D  S2n 

= 

(rsin  @  [—00,  +00])  D  rs2n 

1  1  1 

= 

T 

rTn 

= 

_L 

rVx:<T.sn 

= 

Vx:a.rsn 

r3x:a.s n 

= 

3x:a.rsn 

rk  says  -s”1 

= 

k  says  rsn 

Basic  Judgments  J 

rs  truen 

rsn  0  [—00,  +00] 

rk  claims  sn 

= 

k  claims  rsn  0  [—00, +00] 

Hypotheses  F 

r  T  n 

•  •  •  5 

= 

rjr,...,rjn^ 

Views  k0 

rfeon 

— 

ko,  —00,  +00 

Sequents 


=  S;-;-;rrn  ^>rsno  [-oo,+oo] 
Figure  4.10:  Embedding  r-n  from  BLg  to  BL 


Example  4.22.  We  mentioned  earlier  that  BL  is  not  a  conservative  extension  of  BL5 
because  axiom  (C)  of  BL5  -  k  says  ((A;  says  s)  D  s)  —  is  not  admissible  in  BL.  However, 
it  is  easy  to  prove  using  the  sequent  calculus  of  BL  that  the  translation  of  (C),  i.e.  k  says 
((( k  says  rsn)  @  [—00,00])  D  rsn)  is  provable  in  BL  for  every  k  and  s. 

4.7  Related  Work 

There  is  a  significant  amount  of  work  related  to  BL,  both  in  the  area  of  proof  theory,  and 
in  the  area  of  declarative  formalisms  for  representing  authorization  policies  that  depend  on 
time  and  system  state. 
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Differences  from  77  logic.  As  mentioned  in  the  introduction,  the  treatment  of  explicit 
time  in  BL  is  based  on  77  logic,  which  was  first  published  in  joint  work  of  DeYoung,  the 
author,  and  Pfenning  [54],  and  largely  developed  in  DeYoung’s  undergraduate  thesis  [53]. 
Besides  the  fact  that  the  treatment  of  says  in  77  logic  is  derived  from  GP  logic,  whereas 
that  in  BL  is  based  on  BL5,  there  are  also  several  other  minor  differences  between  the 
logics.  First,  the  interaction  between  says  and  time  in  BL  is  richer  than  it  is  in  77  due  to 
the  presence  of  views  (see  §4.4).  Second,  the  treatment  of  constraints  in  BL  is  slightly 
more  general  than  it  is  in  77  -  the  latter  confines  constraints  to  the  constructs  c  A  s  and 
cDs.  This  is  necessary  because  77  logic  also  considers  well-formedness  of  intervals  embedded 
in  formulas;  for  [7/1,772]  to  be  well-formed,  u\  <  7/2  is  a  pre-requisite.  Checking  well- 
formedness  necessitates  collection  of  constraints  statically  from  formulas,  which  is  greatly 
eased  if  occurrences  of  constraints  are  restricted.  In  BL  we  elide  this  well-formedness  check. 
BL’s  constraints  can  be  recovered  in  77  by  defining  the  formula  c  as  c  A  T,  and  conversely, 
well-formedness  checks  can  be  incorporated  in  BL  without  difficulty. 

In  terms  of  expressiveness,  the  embedding  from  GP  logic  to  BLg  (§3.5.1)  easily  extends 
to  an  embedding  from  77  logic  to  BL,  so  BL  is  at  least  as  expressive  as  77  logic.  Further,  for 
reasons  mentioned  in  §3.1.2  exclusive  delegation  cannot  be  expressed  easily  in  77  logic,  but 
can  be  expressed  readily  in  BL. 

Hybrid  logics.  A  hybrid  logic  is  a  modal  logic,  the  worlds  of  whose  Kripke  structures  are 
made  explicit  in  formulas.  Hybrid  logics  include  modal  formulas  of  the  form  s  @  w,  which 
means  that  formula  s  is  true  at  world  w.  s  @  [7/1,  7/2]  is  a  specific  kind  of  hybrid  connective, 
where  the  worlds  have  the  structure  of  intervals  on  the  integer  line.  Since  the  only  properties 
of  intervals  used  in  BL  and  77  logic  are  reflexivity  and  transitivity  of  interval  containment, 
one  may  think  of  s  @  [7/1,772]  as  a  hybrid  modality  over  a  Kripke  structure  whose  worlds 
form  a  partial  order.  Such  Kripke  models  have  been  used  to  interpret  intuitionistic  logic 
in  the  past  (see  for  example,  [30]).  Indeed  the  somewhat  unusual  (Dl)  rule  in  Figure  4.3 
corresponds  to  the  definition  of  satisfaction  of  implication  in  Kripke  models.  In  this  sense, 
BL  is  related  to  a  lot  of  existing  work  on  hybrid  logics,  and  in  particular,  intuitionistic 
hybrid  logics  [35,  122]. 

Constraints.  As  in  77  logic,  integration  of  constraints  and  the  proof  system  in  BL  is 
directly  based  on  the  work  of  Saranli  and  Pfenning  [128]  and  that  of  Jia  [84] ,  both  of  which 
were  in  the  context  of  linear  logic.  There  has  also  been  a  significant  amount  of  work  on 
integrating  constraint  domains  in  logic  programming  languages.  Since  the  latter  line  of 
work  is  not  directly  related  to  BL,  we  refer  the  reader  to  a  survey  for  its  details  [82]. 

Within  the  context  of  authorization  policies,  a  number  of  logic-based  frameworks  for 
expressing  policies  allow  representation  of  constraints,  e.g.,  [18,  23,  26,  94,  95].  The  treat¬ 
ment  of  constraints  in  all  these  is  similar  to  that  in  constrained  logic  programming.  The 
author  is  unaware  of  any  authorization  logics  with  constraints  prior  to  77  logic. 

Explicit  Time.  Friihwith’s  work  on  Temporal  Annotated  Constraint  Logic  Programming 
(TACLP)  [62]  is  very  closely  related  to  BL’s  treatment  of  explicit  time.  Although  not 
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intended  to  express  authorization  policies,  TACLP  contains  a  modality  p  at  u,  which  means 
that  the  atomic  formula  p  is  true  at  time  u.  The  notion  corresponding  to  our  connective  s  @ 
[rti ,  U2]  (called  s  th  I  in  TACLP,  with  I  being  an  interval)  is  then  defined  by  first  requiring 
that  at  commute  with  all  other  connectives  including  implication,  and  then  defining  s  th  I 
as  Vrt.  ((it  6  J)  D  (s  at  u )).  The  obvious  differences  between  BL  and  TACLP  are  that  the 
latter  lacks  says  and  is  a  logic  programming  language,  not  a  full  logic. 

In  place  of  the  @  modality,  declarative  frameworks  for  expressing  authorization  policies 
often  include  an  interpreted  constant  that  represents  the  time  at  which  an  operation  such 
as  proof  search  or  proof  verification  is  performed.  This  approach  has  been  adopted,  among 
others,  in  the  language  SecPAL  where  the  constant  currentTimeQ  reduces  to  the  time 
of  evaluation  of  the  authorization  query  [23],  and  in  work  on  proof-carrying  authorization 
where  the  constant  localtime  evaluates  to  the  time  of  access  [18].  Irrespective  of  the 
name,  policy  expiration  can  be  represented  using  this  constant  in  a  simple  manner;  in 
proof-carrying  authorization,  for  instance,  one  may  say  (u\  <  localtime  <  112)  D  s  instead 
of  s  to  force  s  to  be  usable  only  in  the  time  interval  (u\,  112).  The  limitation  of  this  approach, 
as  opposed  to  explicit  time  in  BL,  is  that  it  does  not  work  when  formulas  need  to  be  proved 
on  intervals  of  time  other  than  [localtime,  localtime].  For  example,  the  policy  rule  in 
the  paragraph  “Anachronistic  references”  in  §4.1.2  cannot  be  expressed  with  this  constant 
alone,  because  the  condition  (mayaccess  k  /)  in  the  implication  needs  to  proved  on  the 
interval  [T,  T] ,  which  is  different  from  the  time  of  access.  More  precisely,  the  approach 
works  only  if  the  policy  rules  do  not  have  @  connectives  nested  inside  other  connectives. 

Along  similar  lines,  it  is  common  in  implementations  of  proof-carrying  authorization 
to  use  extra-logical  checks  to  enforce  expiration  of  credentials  since  the  logics  used  cannot 
represent  time  [18,  20].  Instead,  it  is  checked  in  the  reference  monitor  that  the  time  of 
access  lies  in  the  intersection  of  the  validities  of  all  credentials  used  in  the  proof  that 
authorizes  access.  In  contrast,  in  logics  like  BL  and  77,  the  logic  represents  validities  of 
certificates  (§4.3),  and  proofs  contain  the  same  information,  so  these  extra-logical  checks 
are  internalized  into  proof  verification.  PCFS  goes  a  step  further  since  information  about 
time  is  extracted  from  proofs  during  proof  verification  and  placed  explicitly  in  procaps 
that  are  checked  at  the  time  of  access  (§5).  Checking  expiration  of  certificates  directly  is 
equivalent  to  the  checks  internalized  in  proof  verification  in  BL  if  all  @  connectives  are  at 
the  top  level.  This  was  shown  formally  in  prior  work  on  r]  logic  [54]. 


System  state.  Independent  of  the  work  in  this  thesis  and  concurrently  with  it,  Schneider 
et  al.  have  designed  the  Nexus  Authorization  Logic  (NAL)  [132]  and  implemented  it  in 
the  Nexus  operating  system  [142].  NAL  includes  support  for  interpreted  predicates  in  a 
manner  similar  to  that  in  BL  -  in  the  reference  monitor  certain  predicates  are  verified  using 
trusted  decision  procedures  that  may  refer  to  the  system  state.  The  implementation  of 
the  Nexus  operating  system  uses  a  mix  of  proof-carrying  authorization  and  inference  in 
reference  monitors  to  enforce  authorization  policies  written  in  NAL. 

Several  other  logic-based  frameworks  for  representing  authorization  policies  [18,  23,  26, 
94,  95]  do  not  make  a  distinction  between  constraints  and  predicates  interpreted  on  the  state 
of  the  system,  and  consequently  support  system  state  implicitly  as  part  of  their  support 
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for  constraints.  The  distinction  between  constraints  and  predicates  interpreted  on  system 
state  is  necessitated  in  BL  because  of  the  PCFS  requirement  to  verify  proofs  in  advance  of 
access.  This  is  not  the  case  with  any  other  logic-based  authorization  framework. 

There  has  also  been  some  work  on  declarative  languages  and  logics  in  which  authoriza¬ 
tion  policies  and  state  transitions  can  be  represented  simultaneously  [22,  25,  55].  In  such 
frameworks,  the  state  is  represented  through  uninterpreted  predicates,  whose  transition 
rule(s)  are  also  defined  in  the  framework.  This  line  of  work  is  largely  orthogonal  to  BL. 
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Chapter  5 

BL  Proof  Terms,  Their 
Verification,  and  Procaps 


In  §4  we  explained  BL’s  inference  rules  and  the  structure  of  BL’s  proofs.  This  chapter 
introduces  proof  terms,  a  compact  representation  of  natural  deduction  proofs  that  is  used 
in  PCFS,  and  describes  the  procedure  used  for  their  verification.  Whereas  a  description  of 
proof  terms  and  their  verification  for  a  logic  may  seem  trivial  in  general,  and  perhaps  not 
critical  enough  to  merit  an  independent  chapter  in  a  thesis,  there  are  at  least  three  reasons 
why  a  thorough  investigation  of  the  same  is  justified  here. 

First,  in  BL  we  are  interested  in  simultaneously  minimizing  annotations  in  proof  terms 
to  keep  them  small,  and  having  a  simple  verification  procedure  whose  implementation  is 
efficient  and  easily  trusted.  It  is  well  known  that  these  two  problems  are  at  odds  with  each 
other.  As  extreme  examples  of  the  trade-off  in  intuitionistic  logic,  the  Church-style  of  proof 
terms  results  in  an  easy  linear-time  verification  procedure  but  requires  that  every  bound 
variable  be  annotated  with  the  judgment  whose  proof  it  represents;  the  Curry-style  of  proof 
terms,  on  the  other  hand,  mandates  no  annotations  but  results  in  a  difficult  verification 
problem  [44,  50].  In  BL  the  trade-off  is  further  complicated  by  a  need  to  have  the  time 
subsumption  principle,  i.e.  we  want  a  proof  term  that  witnesses  s  o  [u±,U2\  to  also  witness 
s  o  \u\ ,  v/2]  whenever  \u\ ,  v/2]  C  [tii,ti2].  (See  §4.3.2  for  an  explanation  of  the  importance  of 
this  principle.)  Therefore,  the  Church-style  of  proof  terms,  which  would  allow  a  proof  term 
to  establish  at  most  one  judgment  does  not  work  for  BL.  Our  final  design  of  proof  terms  for 
BL  is  based  on  an  adaptation  of  bidirectional  proofs,  where  proof  verification  is  combined 
with  selective  inference  of  judgments  established  by  proof  terms,  and  use  of  annotations 
is  restricted  to  /3-redexes  [117].  Although  not  surprising,  this  choice  breaks  the  one-to-one 
correspondence  between  natural  deduction  proofs  and  proof  terms  (e.g.,  the  Curry- Howard 
isomorphism) ,  so  some  effort  is  needed  to  show  that  proof  terms  cover  all  natural  deduction 
proofs  (§5.1.1).  Further,  we  formally  prove  that  the  time  subsumption  principle  as  well  as 
several  other  intuitive  properties  hold  for  proof  terms  (§5.1.2). 

Second,  the  proof  verification  problem  for  BL  is  non-trivial  because  proofs  depend  on 
system  state  and  time  of  use,  both  of  which  may  change  between  the  time  of  proof  veri¬ 
fication  and  the  time  of  access  in  PCFS  (§4.3.2).  (Recall  from  §2  that  proof  verification 


111 


Chapter  5.  BL  Proof  Terms,  Their  Verification,  and  Procaps 


in  PCFS  happens  in  advance  of  file  access  to  keep  the  latter  efficient.)  Consequently,  for 
PCFS,  we  use  a  non-standard  proof  verification  procedure  that  does  not  check  parts  of 
a  proof  that  depend  on  either  system  state  or  time  of  use,  but  instead  outputs  them  as 
conditions  in  the  procap  (capability)  generated  from  the  proof.  The  back  end  of  PCFS 
then  completes  the  proof  verification  by  checking  these  conditions  every  time  the  procap  is 
used  for  access.  Explaining  this  proof  verification  procedure  and  proving  that  this  two  part 
checking  results  in  accurate  verification  of  proofs  is  one  of  the  most  important  goals  of  this 
chapter  (§5.2).  In  addition,  the  chapter  also  describes  the  abstract  structure  and  checking 
of  procaps  (§5.2.3,  §5.2.1),  and  discusses  how  policy  revocation  may  be  implemented  in  the 
PCFS  architecture  (§5.2.4). 

Third,  even  though  proof  terms  witness  natural  deduction  proofs,  the  proof  search  tool 
included  in  PCFS  constructs  sequent  calculus  proofs.  Consequently,  we  need  to  produce 
natural  deduction  proof  terms  from  sequent  calculus  proofs,  which  although  not  difficult, 
is  not  entirely  trivial  (§5.3).  We  also  explain  proof  terms  for  canonical  proofs  of  BL  and 
argue  that  all  proof  terms  can  be  reduced  to  a  canonical  form  (§5.4). 


5.1  Bidirectional  Proof  Terms  for  BL 

BL  proof  terms  are  divided  into  two  mutually  inductive  syntactic  categories  -  checkables 
and  inferables.  During  proof  verification  it  is  checked  that  a  checkable  correctly  establishes 
a  given  basic  judgment  from  given  hypotheses,  whereas  the  basic  judgment  witnessed  by 
an  inferable  is  inferred.  In  this  sense,  the  proof  term  system  and  verification  are  both 
bidirectional  [117].  The  syntax  of  proof  terms  is  summarized  below.  There  is  one  proof 
term  constructor  for  every  rule  in  natural  deduction  (the  names  of  proof  term  constructors 
and  natural  deduction  rules  correspond  to  each  other).  In  addition,  each  inferable  is  also 
a  checkable,  and  there  is  a  special  constructor  check  that  coerces  checkables  to  inferables. 
check  is  the  only  constructor  whose  arguments  mention  BL  formulas.  The  letters  r,  n 
denote  proof  variables  which  are  used  to  name  hypotheses  in  a  proof.  The  notation  7T.E 
means  that  the  proof  variable  n  is  bound  in  the  syntactic  entity  E  and  may  be  subject  to 
a-renaming;  x.E  is  similar  notation  for  binding  the  term  variable  x. 

Checkables  V  ::=  R  |  conjl  Vj  Vi  \  disjll  V  |  disjI2  V  |  disjE  R  (tti-Vi) 

topi  |  botE  R  |  impl  (x\.Xi.tt  .V)  j  foralll  (x.V)  |  existsl  t  V 
existsE  R  (x.tt.V)  |  atl  V  |  atE  R  (tt.V)  |  saysl  V 
saysE  R  (tt.V)  |  consl  |  consE  R  V  |  inferl  |  inferE  R  V 

Inferables  R  ::=  t r  |  check  V  s  u\  ui  |  conjEl  R  |  conjE2  R  |  impE  RV  u\  ui 
|  forallE  t  R 

Judgments  and  Inference  Rules.  We  describe  the  use  of  proof  terms  through  a  proof 
term  calculus,  which  contains  two  hypothetical  judgments  E;  \k;  E;  II  \~u  V  <=  s  o  [u\,ui\ 
(checking)  and  E;  \k;  E\ II  \~u  R  = =$■  so  [m,  ui]  (inference).  These  judgments  are  are  defined 
by  the  mutually  inductive  rules  in  Figures  5.1  and  5.2.  The  hypotheses  II  in  these  figures 
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are  a  multiset  :  J±, . . . ,  nn  :  Jn  of  pairs  of  proof  variables  7Tj  and  judgments  Jj.  Each 
hypothesis  Ji  may  be  referred  to  in  proof  terms  using  the  name  tx%.  (We  assume  implicitly 
that  the  names  tti,  ...  ,TTn  are  distinct.) 

II  . .  —  TT\  .  J\ ,  .  .  .  ,  7 Tn  .  J n 

The  definition  of  the  restriction  operator  -|  is  revised  to  retain  names  of  assumptions: 

II|  =  {(7T  :  k  claims  r  o  [ui,«2])  £  11} 


The  rules  defining  the  judgments  TP;  II  \~v  V  <==  s  o  [ui,U2]  and  S;  \P;  TP;  H  \-u 
R  = s  o  [ui,U2]  are  similar  to  those  for  canonical  and  atomic  proofs  from  §4.5  -  wher¬ 
ever  a  canonical  proof  judgment  j}  appeared  in  the  rules  of  §4.5,  we  now  have  a  checking 
judgment  -4=,  and  wherever  an  atomic  proof  judgment  J}  appeared  in  the  rules  of  §4.5 
we  now  have  an  inference  judgment  =>.  There  is,  of  course,  the  rule  (check)  which  has 
no  analogue  in  the  rules  of  §4.5,  and  it  is  this  rule  that  allows  proof  terms  to  witness  all 
natural  deduction  proofs,  not  just  canonical  and  atomic  ones.  With  the  exception  of  the 
last  one,  the  following  observations  about  the  proof  term  calculus  of  Figures  5.1  and  5.2 
parallel  similar  observations  from  §4.5. 

1.  The  conclusion  of  every  introduction  rule  has  a  checkable  proof  term,  and  so  does  its 
principal  premise. 

2.  The  conclusion  of  every  let-like  elimination  rule  has  a  checkable  proof  term. 

3.  The  conclusions  of  rules  (check),  (hyp),  (claims),  (AEi),  (AE2),  (dE),  and  (VE)  con¬ 
tain  inferable  proof  terms. 

4.  The  principal  premise  of  every  elimination  rule  has  an  inferable  proof  term. 

5.  The  rule  (infer)  shifts  judgments  from  inference  to  checking,  whereas  the  rule  (check) 
shifts  in  the  other  direction. 

While  a  precise  connection  between  the  proof  term  calculus  of  Figures  5.1  and  5.2  and 
canonical  and  atomic  proofs  is  postponed  to  §5.4,  in  the  following  we  explain  how  proof 
terms  may  be  used  to  witness  natural  deduction  proofs  in  general. 

5.1.1  Connection  to  Natural  Deduction 

The  proof  term  calculus  of  Figures  5.1  and  5.2  corresponds  to  natural  deduction  of  Fig¬ 
ures  4.2  and  4.3  due  to  two  properties  that  we  formalize  and  prove  in  this  section.  First, 
if  we  erase  the  proof  term,  all  proof  variables,  and  the  entailment  symbol  =>•  or  -4=  from 
a  hypothetical  judgment  that  is  provable  in  the  proof  term  calculus,  then  we  obtain  a  hy¬ 
pothetical  judgment  that  is  provable  in  natural  deduction.  Thus  the  proof  term  calculus 
is  sound  with  respect  to  natural  deduction.  Second,  given  a  natural  deduction  proof  of 
51;  \T;  T17;  T  \~u  s  o  [tti,tt2]  and  any  II  that  assigns  unique  names  to  judgments  in  T,  we 
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S;  T;  E;  II  b1'  R  =>  s  o  [in,  u2]  S;  T  |=  u\  <  u\  £;  T  |=  u'2  <  u2 . 


S;  T;  E;  n  b"  R  4=  s  o  [u\ ,  u’f 

S;f;£;nPf<=so  [ui,u2] 

S;  T;  E;  II  b"  check  V  s  Ui  u2  =>■  s  o  [in,  u2] 

S;  T;  E;  II,  7r  :  so  [in,  u2]  b'y  7r  ==>  s  o  [in,  u2] 


infer 


check 


hyp 


v  =  k,  lib,  ue  S;  T  1=  Ui  <  Ub  S;  T  |=  ue  <  u2  £;  T  | =  k  >k 

- — — - - - — — - - - - - claims 

£;  T;  E\  II,  n  :  k  claims  s  o  [in,  u2J  b  7r  =>  s  o  [in,  u2J 

E^-,E-,U\hk^V^=so[Ul,u2] 

- „ - r - -  saysl 

£;  T;  E\  II  b  saysl  V  <=  k  says  s  o  [in,  u2] 

£;  T;  E;H\-U  R  ==>  k  says  s  o  [in,  1*2]  £;  T;  If;  II,  7r  :  k  claims  s  o  [in,ii2]  b"  V  s'  o 

£;  T;  E;  II  b"  saysE  I?  (7 r.V)  -4=  s7  o  [m'1;  i4] 

E;$;£;nh7<=»o[ai,ii2] 

£;  T;  E;  II  h1'  atl  V  <=  (s  @  [in,  1*2])  o  \u'x,  u'2] 

s  @  [111,1*2]  o  [w;,^]  £;  T;  E;  II,  7r  :  so  [in,  it2]  b1'  V  • 


saysE 


R 


/  f  //  // I 

5  o  [Uijtta] 


£;  T;  E;  II  b"  atE  R  (7 r.V)  4=  s'  o  [it",  ui,7] 

£;Thc 

— — — „  „  ,  „ - ; - -  consl 

£;  T;  E;  II  b  consl  -4=  c  o  [in,  u2] 

£;  T;  E;  n  b"  R  =>  c  o  [in,  u2]  £;  T,  c;  E;  n  b"  V  4=  s'  o  [it7,  u2] 

E;'P;£;IIb''  consE  R  V  -4=  s'  o  [u\ ,  it2] 

Z;E\=i 


@E 


consE 


E;f;£;IIb1'  interl  4=  i  o  [in,  112] 


interl 


£;  if;  E-,U\-1'  R  =>  i  o  [m,ti2]  £;  T;  E,  i\  II  b"  V  4=  s'  o  [u^iti,]. 


£;  T;  E;  II  b"  interE  I?  V  4=  s7  o  [«(,  u^] 


interE 


Figure  5.1:  Bidirectional  proof  terms,  part  1 


can  construct  a  checkable  V  and  a  derivation  in  the  proof  term  calculus  which  shows  that 
S;  'k;  E;  II  \~u  V  4=  s  o  [in,  it2].  This  implies  that  the  proof  term  calculus  is  complete  with 
respect  to  natural  deduction. 

Definition  5.1.  For  II  =  7Ti  :  J\, . . . ,  nn  :  Jn ,  define  |II|  to  be  hypotheses  Ji, . . . ,  Jn. 
Theorem  5.2  (Soundness).  The  following  hold. 
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£;  T;  E;  II  P"  Si  o  V\  4=  [u1;  u2]  S;  T;  E;  II  \-v  V2  4=  s2  o  [ui,u2]  ^ 

E;  T;  E;II  h v  conjl  Vi  V2  4=  Si  A  s2  o  [ ui,u2 ] 

£;  T;  E;  II  h1'  R  =>■  s\  A  s2  o  [u\,u2]  £;  T;  E;  II  \-v  R  ==>  si  A  s2  o  [ui,  u2] 

- AEi  - AFio 

£;  T;  E;  II  h"  conjEl  R  =>  Si  o  [ui,  u2]  £;  'I';  E;  II  \~u  conjE2  R  ==>  s2  o  [u\,  u2] 

E;  T;  E;  II  h"  P  4=  Si  o  [ui,  u2] 

- V  li 

E;  T;  E;  II  \-v  disj  II  V  4=  Si  V  s2  o  [ui,u2] 

S;$;E;nP  V  4=  s2  o  [m,u2] 

E;  T;  E;  II  h"  disj  12  P  4=  Si  V  s2  o  [ui,  u2\  2 

E;  T;  E;  II  P"  E  =>  si  V  s2  °  [ui ,  u2] 

E;  T;  E;  II,  7Ti  :  si  o  [u\ ,u2]  \~v  Pi  4=  s'  o  [ui,  u'2] 

S ;  T;  E;  II,  7r2  :  s2  o  [ui,  u2]  h "  P2  -<=  s'  o  [ui,  u'2] 

- V  E 

E;$;E;IIP  disjE  R  (7Ti.Pi)  (7T2.P2)  4=  s'  o  [ui,  u^] 

_ TI  E;  T;  E;  II  Y~v  R  =»  _L  o  [ui,  u2] 

E;f;E;IlP  topi  4=  T  o  [ui,  u2]  E;  T;  E;  II  h"  botE  E  4=  s  o  [ui,  u'2\ 

E,  uptime,  uptime;  T,  ui  <  x\,  x2  <  u2;  E;  II,  7r  :  Si  o  [x\,  x2\  h"  V  4=  s2  o  [xi,x2]  ^ 

E;  T;  E;  II  P"  impl  (#i.a;2.7r.P)  4=  Si  D  s2  o  [ui,  u2] 

E;  T;  E;  II  P"  E  =>■  Si  D  s2  o  [ui,  u2] 

E;  T;  E;  II  P"  P  4=  Si  o  [ui,  u2]  E;  T  \=  u\  <  E;  T  |=  u2  <  u2 

-  )  E 

E;f;E;IlP  impE  E  P  ui  u'2  =>  s2  o  [ui, u^] 

E,x:cr;\E';E;II  P"  P  4=  s  o  [ui,u2] 

- VI 

E;  T;  E;  II  P"  f  oralll  ( x.V )  :  V:r4=<j.s  o  [ui,  u2] 

E;  T;  E;  II  P"  E  :  \/x=>a.s  o  [ui,  u2]  £  P  t :  cr 

- VE 

E;  T;  E;  II  h"  f  orallE  t  R  =>  s[i/x]  o  [ui,  u2] 

E;  T;  E;  II  P"  P  4=  s[t/x\  o  [ui,u2]  E  P  t  :  cr 
E;f;E;IlP  existsl  t  V  :  3x4=a.s  o  [ui, u2\ 

E;  T;  E;  II  \-v  R  =>  zh:cr.s  o  [ui,u2]  E,  x:a;  T;  E;  II,  7r  :  s  o  [ui,  u2]  P"  P  4=  s'  o  [ui,  u2] 

- E3E 

E;  T;  E;  II  P"  existsl  (x.ir.V)  4=  s'  o  [ui, u^] 

Figure  5.2:  Bidirectional  proof  terms,  part  2 

1.  If  E;  E;  II  P"  V  4=  s  o  then  E;  tit;  E\  |IT|  \~u  s  o  [u\,  u2]  ■ 

2.  If  E;  E\  II  h"  R  =^*  s  o  [u1;  u2],  then  E;  'h;  E\  |II|  Pso  [u\ ,  u2]  ■ 
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Proof.  By  simultaneous  induction  on  given  derivations  and  case  analysis  of  their  last  rules. 
For  the  cases  of  rules  (hyp)  and  (claims)  of  Figure  5.1  we  use  the  property  (C-refl-time) 
from  §4.2.1.  The  case  of  rule  (infer)  relies  on  Theorem  4.4.  □ 

An  important  point  about  this  soundness  result  is  that  its  proof  is  not  based  in  simply 
erasing  all  proof  variables  and  proof  terms  from  the  given  proof  term  calculus  derivations. 
Indeed,  doing  the  latter  may  not  result  in  a  valid  natural  deduction  derivation  because 
after  erasing  proof  terms,  the  rule  (infer)  in  the  proof  term  calculus  corresponds  exactly  to 
time  subsumption  for  natural  deduction,  which  is  not  an  explicit  rule  but  established  as  a 
theorem  (Theorem  4.4). 

Theorem  5.3  (Completeness).  Suppose  E;  I'jEjrBso  [u±,u2]  and  |IT|  =  F.  Then  there 
is  a  checkable  V  such  that  E;  \k;  E;  II  \~u  V  4=  s  o  [ui,rt2]. 

Proof.  By  induction  on  the  given  derivation  of  E;  \k;  E;  T  \~u  s  o  [u\,  u2]  and  a  case  analysis 
of  its  last  rule.  Some  interesting  cases  are  shown  below. 

E;  'P  |=  u\  <m  E;  'P  |=  u2  <  u2 

Case.  - — — - — - - - -hyp 

E;  'h;  E; T, s  o  [it^, u^\  P  s  o  [«i, u2\ 

Let  |II,  7T  :  s  o  [u\ ,  u'2]  \  =  T,  s  o  [u\ ,  u2] .  Choose  V  =  n. 

To  show:  E;  T;  E;  II,  7r  :  s  o  u2]  \~u  vr  4=  s  o  [u\,  u2]. 

1.  E;  'L;  E;  II,  7T  :  s  o  [- u u 2\  \~u  7 r  s  o  [u'^v!^  (Rule  (hyp)) 

2.  E;  \P;  E;  II,  7r  :  s  o  [u\ ,  u2]  \~u  n  <=  s  o  [u\,u2]  (Rule  (infer)  on  1  and  premises) 

E;^E;r|hfe™S0[Ul,U2] 

Case.  - - - - - -saysl 

E;  'L;  E;T  \-  k  says  so  [m,  u2] 

To  show:  There  is  a  V  such  that  E;  T;  E;  II  \~u  V  <^=  k  says  so  [m,  u2]. 

1.  |(n|)|  =  (|n|)|  =  r|  (Definition) 

2.  There  is  a  V'  such  that  E;  \P;  E;  II|  Pfc,Ul’'u 2  V'  <=  s  o  [ui,u2\  (i.h.  on  premise;  1) 

3.  E;  \P;  E;  II  \~u  saysl  V'  4=  k  says  s  o  [rti,  u2\  (Rule  (saysl)  on  2) 

Choose  V  =  saysl  V' . 

E;  'P;  E;  T  \~v  s\  D  s2  o  \a\,u2] 

E;  T:  E;  r  \~u  si  o  [u\ ,  u'2]  E;  T  |=  m  <  u'x  E;  'P  \=  u2  <u2 

Case.  - - - —t — t- - DE 

E;  'L;  E;  T  h  s2  o  [u\,u'2] 

To  show:  There  is  a  V  such  that  E;  \h;  E;  II  \~u  V  4=  s2  o  [a\ ,  u2] 

1.  There  is  a  V\  such  that  E;  'L;  E;  II  \-u  V\  4=  si  D  s2  o  [u±,  u2]  (i.h.  on  1st  premise) 

2.  E;\P;E;II  \~u  check  V\  (si  D  s2)  u\  u2  si  D  s2  o  [ui,u2]  (Rule  (check)  on  1) 
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3.  There  is  a  Vi  such  that  E;  'h;  E;  T  \~v  Vi  -4=  si  o  \u\ ,  v!2]  (i.h.  on  2nd  premise) 

4.  ;  TP;  II  \~u  impE  (check  V\  (si  D  s 1) 

5.  E;  T  |=  u\  <  u\  and  E;  T  |=  u'2  <  u'2 

6.  E;  ;  TP;  II  \~u  impE  (check  V\  (si  D  s 1) 

(Rule  (infer)  on  4,5) 

Choose  V  =  impE  (check  V\  (si  D  si)  u±  ui )  Vi  u\  u2.  □ 

The  proof  of  Theorem  5.3  is  constructive  -  its  inductive  cases  can  be  interpreted  as  a 
function  for  constructing  the  checkable  V  as  well  as  the  derivation  of  E;  \P;  TP;  n  \~u  V  -4= 
s  o  [u\, ui]  from  a  proof  of  |II|  Pso  [741,7x2].  It  is  also  instructive  to  observe  the 

role  of  the  constructors  check  and  infer  in  the  proof. 

5.1.2  Properties  of  Proof  Terms 

In  general,  analogues  of  all  properties  of  natural  deduction  from  §4.2.3  may  be  stated  and 
proved  for  the  proof  term  calculus.  This  section  presents  some  of  the  more  interesting  prop¬ 
erties,  including  the  analogue  of  the  time  subsumption  principle.  As  for  natural  deduction, 
the  following  view  subsumption  principle  is  needed  to  prove  time  subsumption. 

Theorem  5.4  (View  subsumption).  Suppose  the  following  hold: 

1.  v  =  ko,  Ub ,  ue  and  v'  =  k'0,  u'b,  u'e 

2.  E;  'k  |=  ko  y  k'0,  E;  'k  |=  Ub  <  u'b,  and  E;  |=  u'e  <  ue. 

Then, 

A.  E;\k;i?;n  \~u  V  <=  s  o  [u\,ui]  implies  E;^;!?;!! 
derivation  of  smaller  or  equal  depth. 

B.  E;  \R;  TE;  II  \~u  R  =>-  s  o  [u\ ,  u-i]  implies  E;  II 
derivation  of  smaller  or  equal  depth. 

Proof.  By  simultaneous  induction  on  given  derivations  in  A  and  B,  and  case  analysis  of 
the  last  rule.  The  case  where  the  derivation  in  A  ends  in  (claims)  uses  the  assumptions 
(C-trans-time)  and  (C-trans-prin)  from  §4.2.1,  as  in  the  proof  of  Theorem  4.3.  □ 

The  next  theorem  formally  states  the  time  subsumption  principle  with  proof  terms.  The 
theorem  mentions  checkables  only  since  an  analogous  principle  does  not  hold  for  inferables, 
e.g.,  according  to  the  rule  (hyp)  of  Figure  5.1,  the  hypothesis  tt  :  s  o  [ui,ui]  can  be  used 
to  infer  s  o  [ui,ui],  but  not  s  o  [a\ ,  u2]  for  any  other  interval  [a\ ,  u2] ■  This  restriction 
in  the  rule  (hyp),  and  also  (claims),  is  deliberate  since  it  simplifies  proof  checking.  The 
proof  verifier  in  PCFS  expects  checkables,  not  inferables,  so  having  the  time  subsumption 
principle  only  for  checkables  suffices  for  our  purposes. 


b"  V  <=  s  o  [141,7x2]  by  a 


\~u  R  =$■  s  o  [741,742]  by  a 


741  ui)  Vi  Txi  u'2  =>•  s2  o  [741,742] 

(Rule  (dE)  on  2,3,  and  3rd, 4th  premises) 
((C-refl-time)  from  §4.4) 

741  U2)  V2  u[  U2  4=  Si  O  [741,742] 
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Theorem  5.5  (Time  subsumption).  Suppose  the  following  hold: 

1.  S;f;£;nPb^so  [ui, u2] 

2.  S;  T  |=  u\  <  un  and  E;  \F  |=  um  <  U2 
Then  E;  \F;  E;  II  P"  V  <=  s  o  [un,  um\ 

Proof.  By  induction  on  the  depth  of  the  given  derivation  of  E;  \F;  E;  II  P"  V  4=  s  o  [u\,u 2] 
and  case  analysis  of  its  last  rule.  The  case  where  the  derivation  ends  in  rule  (saysl)  uses 
view  subsumption  (Theorem  5.4).  The  case  where  the  derivation  ends  in  (dI)  requires  a 
lemma  about  substitution  of  constraints.  See  Theorem  C.2  in  Appendix  C  for  details.  □ 

Let  S[S'/7r]  denote  the  usual  capture  avoiding  substitution  of  S'  for  variable  ir  in  S.  The 
syntax  of  proof  terms  is  not  closed  under  substitution  of  proof  variables  by  checkables.  For 
instance,  substituting  the  checkable  V  for  iri  in  the  inferable  tt2  results  in  V  n2,  which 

is  neither  a  checkable  nor  an  inferable.  However,  checkables  and  inferables  are  individually 

closed  under  substitution  by  inferables,  as  the  following  theorem  states. 

Theorem  5.6  (Closure  under  substitution).  The  following  hold. 

1.  For  every  checkable  V  and  inferable  R! ,  V[R' /ir\  is  a  checkable. 

2.  For  every  checkable  R  and  inferable  R' ,  R[R'/tt\  is  an  inferable. 

Proof.  By  simultaneous  induction  on  the  structures  of  V  and  R.  □ 

With  Theorem  5.6  in  mind,  the  following  theorem  generalizes  the  substitution  principle 
of  natural  deduction  (Theorem  4.5). 

Theorem  5.7  (Substitution).  Suppose  E;  \F;  E\  n  P"  R!  =>  s  o  [u\,U2].  Then  the  following 
hold. 

1.  E;  'L;  E;  n,  7T  :  s  o  [«i,  w2]  h"  V  <^=  r  o  \u\ ,  u'f  implies  £;  'F;  E ;  n  h"  V[R' /ir\  <^=  r  o 
K,u'2]. 

2.  S;  'F;  E]  n,  7r  :  s  o  [u\,  U2}  P"  R  = =$■  r  o  [u\ .  u'2]  implies  E;  ’F;  E;  n  P"  R[R! / 7r]  r  o 

[u[,u'2]. 

Proof.  By  simultaneous  induction  on  derivations  given  in  (1)  and  (2),  and  case  analysis  of 
their  last  rules.  □ 

5.1.3  Bidirectional  Verification  (The  One  Not  Used  in  PCFS) 

The  rules  of  Figures  5.1  and  5.2  can  be  interpreted  as  a  decision  procedure  for  verification 
of  proof  terms  (next  theorem).  However,  for  reasons  mentioned  in  the  opening  of  this 
chapter,  the  actual  verification  procedure  used  in  PCFS  is  different;  it  is  described  in  §5.2. 
The  following  theorem  is  presented  primarily  to  explain  the  bidirectional  nature  of  proof 
verification,  and  to  point  out  the  need  for  annotations  present  in  the  constructors  impE  and 
check. 
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Theorem  5.8  (Bidirectional  verification).  Suppose  that  the  judgments  E  b  t  :  a,  E;  \P  |=  c, 
and  E;  E  (=  i  can  all  be  decided  in  constant  time.  Then  there  are  mutually  inductive  decision 
procedures  A  and  B,  with  time  complexities  linear  in  the  sizes  ofV  and  R  respectively,  such 
that: 


-  A  takes  E,  'h,  E,  II,  v,  s,  u\,  U2,  and  V  as  arguments  and  determines  whether  E;  'I';  E:  II  \~u 
V  4=  s  o  [u\,U2\  or  not. 

-  B  takes  E,  'I',  E,  II,  u,  and  R  as  arguments  and  finds  (the  unique)  s,ui,U2  such  that 
E;  \P;  £7;  II  \~u  R  =4  s  o  [tti,  U2]  if  such  s,  u\,  U2  exist,  else  returns  an  error. 

Proof.  By  simultaneous  construction  of  A  and  B.  Each  procedure  works  by  a  case  analysis 
of  the  top  level  constructor  of  the  proof  term  ( V  or  R)  provided  as  an  argument.  We  show 
some  interesting  cases  of  each  procedure.  Termination  of  A  and  B  follows  by  a  lexicographic 
induction,  first  on  the  sizes  of  V  and  R,  and  then  on  the  order  A  >  B. 


Procedure  A 


Case.  V  =  R.  In  this  case,  the  judgment  E;  'P;  E;  II  \~u  V  4=  so  [u\,  U2],  if  provable,  can 
only  be  established  by  the  rule  (infer).  Therefore,  A  works  as  follows. 

1.  Call  B  with  arguments  E,  'P,  £7,11,  v,  and  R. 

2.  If  (1)  returns  an  error,  the  required  judgment  E;\P;£7;II  \~u  V  s  o  [111,112]  is  not 
provable. 

3.  If  (1)  returns  s',  u\ ,  u'2 ,  check  that  s'  =  s,  E;  \P  |=  u\  <  u\,  and  E;  *P  |=  U2  <  u'2.  If 
all  checks  succeed  then  E;  *P;  E;  II  P v  V  4=  s  o  [^1,^2]  is  provable,  else  it  is  not. 

Procedure  B 


Case.  R  =  impE  R'  V  u\  u'2-  In  this  case,  if  s ,  u\,  U2  exist,  then  the  judgment  E;  'P;  E-,  II  \~u 
R  =4-  s  o  [u  1 ,  U2]  can  only  be  established  by  the  rule  (vE).  Therefore,  B  works  as  follows. 

1.  Call  B  with  arguments  E,  VP,  £7,11,  v,  and  R! . 

2.  If  (1)  returns  an  error,  return  an  error. 

3.  If  (1)  returns  s' ,U\,U2,  check  that  s'  =  si  D  S2  for  some  sq  and  S2  (if  not,  return  an 
error) . 

4.  Call  A  with  arguments  E,  'P,  £7,  II,  u,  sq,  u\ ,  u'2  and  V. 

5.  If  (4)  returns  false,  return  an  error. 

6.  If  (4)  returns  true,  check  that  E;\P  |=  u±  <  u\  and  that  E;*P  |=  u'2  <  U2 ■  If  both 
checks  succeed,  return  s2,  u\ ,  u'2  else  return  an  error. 

Case.  R  =  check  V  s  u\  U2 ■  Following  rule  (check),  B  works  as  follows. 
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1.  Call  A  with  arguments  X,  'h,  E,  II,  v,  s,  u\,  U2,  and  V. 

2.  If  (1)  returns  false,  return  an  error. 

3.  If  (1)  returns  true,  return  s,u±,U2- 


□ 

The  reader  may  observe  in  the  proof  the  critical  roles  played  by  the  annotations  u\ ,  u'2 
in  the  case  for  the  inferable  impE  R  V  u\  u2  and  the  annotations  s,ui,U2  in  the  case  for 
the  inferable  check  V  s  u\  U2- 

5.2  Proof  Verification  in  PCFS 

We  mentioned  in  §4.3.1  that  in  PCFS  an  offline  proof  verifier,  called  in  advance  of  access, 
checks  proofs  of  hypothetical  judgments  of  the  form  X;  ',E,T  \~u  admin  says  (may  k  f  rj)  o 
[u,u].  Since  proofs  in  PCFS  are  represented  using  checkable  proof  terms  V,  the  problem 
of  proof  verification  in  PCFS  is  more  precisely  one  of  checking  provability  of  proof  term 
judgments  of  the  form  X;  •;  E;  II  \~v  V  <=  admin  says  (may  k  f  rj)  o  [u,  u] .  If  such  a  judgment 
is  provable,  the  output  of  proof  verification  is  a  signed  capability,  or  procap,  that  contains 
the  terms  k,  /,  r/,  else  the  output  is  an  error.  The  procap,  if  obtained,  may  be  used  by  k  to 
authorize  permission  r]  on  file  /  in  the  PCFS  back  end  (§2).  The  relevant  question  here  is 
how  the  proof  verifier  determines  whether  X;  •;  E;  II  \~u  V  4=  admin  says  (may  k  f  rj)  o  [u,  u) 
is  provable  or  not.  Whereas  a  casual  inspection  of  the  problem  may  suggest  that  the 
procedures  constructed  in  Theorem  5.8  would  suffice  for  this  purpose,  this  is  not  actually 
the  case  in  PCFS  because  u  and  E  are  not  known  when  the  proof  verifier  is  invoked. 
Recall  from  §4.3.1  that  u  and  E  represent  respectively  the  exact  time  at  which  the  access 
authorized  by  the  proof  is  used  and  the  system  state  prevalent  at  that  time.  It  is  clearly 
impractical  to  expect  either  the  verifier  or  the  user  invoking  the  verifier  to  determine  either 
of  these  in  advance  of  access.  In  the  absence  of  knowledge  of  u  and  E,  the  procedures  of 
Theorem  5.8  cannot  be  used  directly. 

As  a  result  the  proof  verifier  in  PCFS  uses  a  modified  verification  procedure  that  post¬ 
pones  checking  of  constraints  depending  on  u  as  well  as  interpreted  predicates  depending 
on  E  to  the  back  end.  This  is  done  by  writing  such  constraints  and  interpreted  predicates 
to  the  procap,  whose  validity  becomes  conditional  on  the  satisfaction  of  the  constraints 
and  the  interpreted  predicates.  More  precisely,  instead  of  ascertaining  provability  of  the 
judgment  X;  TP;  II  \~u  V  4=  admin  says  (may  k  f  rj)  o  [u,u],  the  proof  verifier  ascertains 
the  provability  of  the  following  judgment,  which  replaces  u  by  a  symbolic  constant  ctime 
that  the  back  end  recognizes,  and  replaces  E  by  the  empty  system  state  •. 

X,  ctime:time;  •;  ■;  II  \~u  V  4=  admin  says  (may  k  f  rj)  o  [ctime,  ctime] 

In  ascertaining  the  provability  of  this  judgment,  the  proof  verifier  may  encounter  several 
judgments  of  the  form  X';  'P/  |=  d  containing  the  symbolic  constant  ctime,  which  the  decision 
procedure  for  constraints  is  unable  to  discharge.  All  such  judgments  are  written  to  the 
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procap  as  conditions.  (Note  that  'k/  may  not  always  be  empty  as  hypothetical  constraints 
may  be  introduced  in  some  branches  of  the  proof  by  rules  like  (consE).)  Similarly,  the  proof 
verifier  may  encounter  judgments  of  the  form  E;;  E'  |=  i!  which  cannot  be  verified  because 
E'  does  not  include  the  intended  state  E.  Again  all  such  judgments  are  written  to  the 
procap  as  conditions. 

The  back  end  of  PCFS  “completes”  the  proof  verification  whenever  it  uses  a  procap  for 
authorizing  access  by  making  the  following  two  checks. 

-  For  each  judgment  E7,  ctime:time;  \k/  (=  c'  written  as  a  condition  in  the  procap,  it 
checks  that  S';  'k'fu/ctime]  \=  c'[u/ ctime],  where  u  is  the  clock  reading  at  the  time  of 
the  access. 

-  For  each  judgment  E7,  ctime:time;  E'  |=  i1  written  as  a  condition  in  the  procap,  it 
checks  that  Y,'\  E,  E'[u/ ctime]  |=  i'\u/ ctime],  where  E  is  the  state  prevailing  at  the 
time  of  the  access. 

It  is  not  immediately  obvious  that  this  two-part  proof  verification,  where  some  checks 
are  performed  prior  to  access  by  an  offline  verifier  and  the  remaining  during  a  file  system 
call  by  the  back  end,  is  actually  correct,  i.e.  it  authorizes  exactly  those  accesses  that  a  proof 
verifier  with  full  knowledge  of  u  and  E  would  authorize  using  the  procedures  constructed 
in  Theorem  5.8.  The  latter  would  be  the  case  if  we  were  to  follow  the  usual  proof-carrying 
authorization  approach  and  embed  the  proof  verifier  in  the  PCFS  back  end.  In  the  rest 
of  this  section,  we  formalize  the  procedure  that  the  PCFS  proof  verifier  uses  to  ascertain 
the  provability  of  E,  ctime:time;  •;  •;![  P"  V  <=  admin  says  (may  k  f  rj)  o  [ctime,  ctime]  and 
to  generate  conditions  from  it,  and  show  that  the  two-part  proof  verification  that  PCFS 
employs  is  correct  in  the  sense  mentioned  above. 

5.2.1  The  PCFS  Proof  Verifier 

In  this  section  we  formally  describe  the  PCFS  proof  verifier  that  generates  conditions  for 
procaps;  the  next  section  shows  that  the  checks  it  makes  together  with  the  checks  made 
by  the  back  end  ensure  correct  proof  verification.  We  use  the  term  hypothetical  constraint 
for  judgments  of  the  form  S;  \k  |=  c  (the  judgment  may  or  may  not  hold).  Similarly,  we 
call  judgments  of  the  form  S;  E  \=  i  hypothetical  states.  The  symbols  C  and  T  denote 
multisets  of  hypothetical  constraints  and  hypothetical  states  respectively.  We  define  two 
functions,  both  named  unsat,  that  take  multisets  of  hypothetical  constraints  and  multisets 
of  hypothetical  states  as  arguments  and  return  the  subsets  that  do  not  hold. 

unsat(C)  =  {(E;  \k  |=  c)  E  C  |  E;  'P  |=  c  does  not  hold} 

unsat(X)  =  { (E;  E  \=  i)  \Y,]E  \=  i  does  not  hold} 

The  proof  verification  procedure  used  in  PCFS  is  described  by  two  judgments: 

(Checking)  E;  'P;  E;  II  b1'  V  -4=  s  o  [ui,  U2]  \  C;  I 
(Inference)  E;  ’I';  E\  II  \~u  R  =>  s  o  [u\.  1x2]  \  C;Z 
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These  judgments  are  respective  generalizations  of  the  checking  and  synthesis  judgments 
of  §5.1,  with  the  added  proviso  that  there  are  outputs  C  and  X  associated  with  each  judg¬ 
ment.  Intuitively, 

-  C  contains  exactly  those  hypothetical  constraints  that  are  needed  for  the  given  proof  to 
be  correct,  but  cannot  be  shown  to  hold  because  they  contain  uninstantiated  constants 
like  ctime. 

-  X  contains  exactly  those  hypothetical  states  that  are  needed  for  the  given  proof  to  be 
correct,  but  cannot  be  shown  to  hold  because  the  system  state  assumed  in  them  is 
incomplete. 

The  inference  rules  defining  the  two  judgments  are  listed  in  Figures  5.3  and  5.4.  These 
rules  are  in  one-to-one  correspondence  with  those  of  the  proof  term  calculus  and  they  have 
been  obtained  by  applying  the  above  two  principles  to  the  rules  of  Figures  5.1  and  5.2.  The 
main  idea  is  that  whenever  a  hypothetical  constraint  or  hypothetical  state  that  does  not 
hold  is  encountered,  it  is  written  to  the  output  C  or  X.  (Observe  the  use  of  the  functions 
unsat  in  the  rules.)  The  rules  may  be  interpreted  as  decision  procedures  in  the  following 
sense. 

Theorem  5.9.  Assuming  that  the  judgments  X  P  t  :  a,  X;  \k  |=  c,  and  X;  E  \=  i  are  all 
decidable,  there  are  mutually  inductive  decision  procedures  A  and  B  such  that: 

-  A  takes  X,  T,  E,  II,  u,  s,  u\,  U2,  and  V  as  arguments  and  finds  ( the  unique)  C  and  X 
such  that  X;  'k;  E;  II  \~v  V  -4=  s  o  [u\,  uq\  \  C;X  if  such  C  and  X  exist,  else  returns 
an  error. 

-  B  takes  X,  *k,  E,  II,  v,  and  R  as  arguments  and  finds  (the  unique)  s,u\,U2,C,l  such 
that  X;  T;  E\  II  \~u  R  = s  o  [ui,  U2]  \  C;X  if  such  s,  U\,U2,C,I  exist,  else  returns  an 
error. 

Further,  if  X  h  t  :  a,  X; 'k  \=  c,  and  X;_E  |=  i  can  be  decided  in  constant  time,  then  the 
running  times  of  A  and  B  can  be  made  linear  in  the  sizes  of  V  and  R  respectively. 

Proof.  By  construction  of  A  and  B,  as  in  the  proof  of  Theorem  5.8.  □ 

The  PCFS  proof  verification  tool  uses  exactly  procedure  A  of  Theorem  5.9  to  establish  a 
judgment  of  the  form  X,  ctime:time;  •;  ;II  \~v  V  -4=  admin  says  (may  k  f  if)  o  [ctime,  ctime]  \ 
C;  X  (see  details  below) .  If  the  judgment  can  be  established,  then  C  and  X  become  conditions 
of  the  procap  generated  by  the  proof  verifier.  These  conditions  are  checked  by  the  back  end 
of  PCFS.  Therefore,  most  of  the  proof  checking  is  performed  in  the  PCFS  front  end  by  the 
tool  called  the  “proof  verifier”  whereas  the  part  of  the  proof  that  depends  on  the  time  of 
access  or  system  state  is  checked  in  the  back  end  during  file  access.  The  entire  process  of 
proof  verification  executed  in  the  two  parts  is  summarized  below. 

1.  In  the  front  end: 
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E;  T;  E;  II  h"  R  =>  s  o  [u\,  u2]  \  C';X  C  =  (S;  T  |=  u\  <  u\ ) ,  (E;  T  |=  it2  <  u2) . 
- infer 

E;  T;  E\Ii\-v  R  <=  s  o  [u^uy  \  C' ,  unsat(C); X 

S^E^b"  V  <=  s  o  [uuu2\  \  C;1 
- check 

Ej'fTjIlP  check  V  s  U\  U2  =>  s  o  [it!,  u2]  \  C; I 

E;  T;  E;  II,  7r  :  s  o  [iti,u2]  by  7r  =>  s  o  [ui,u2]  \  •;  • 

v=k,  ub,  ue  C  =  (E;  T  \=  ui  <  ub),  (E;  ^  |=  ue  <  u2),  (E;  |=  k1  >z  k)  . 

- - - - - — - - - - - - — — - claims 

E;  T;  E;  II,  7r  :  k  claims  so  [m1;  u2\  b  7r  =>•  so  [m1;  u2]  \  unsat(C);  • 

E;T;E;n|  bfc’“1’“2  V  4=  s  o  [Ul,  u2]  \  C\T 
- 7, - r - - - saysl 

E;  T;  E;  II  b  saysl  V  <?=  k  says  s  o  [ui,u2]  \  C\X 


E;  T;  E;  II  b"  R  =>  k  says  s  o  [m1;  tj2]  \  Cp  Xi 
E;  T;  E;  II,  7r  :  k  claims  s  o  [iti,  u2]  b"  V  <=  s'  o  [«(,  u2]  \  C2;X2 

E;  T;  E;  II  b1'  saysE  E  (77. V)  4=  s'  o  [iti,  m2]  \  Ci,  C2;  Xi,X2 


saysE 


E;  T;E;II  b^  V  *£=  s  o  [u1:u2]  \C;X  ^ 

E;  T;  E;  II  h"  atl  V  <=  (s  @  [u\,u2])  o  [u^,  tt2]  \  C\I 

E;  T;  E;  II  b"  R  =>■  s  @  [ui,  it2]  o  [u^,  u'2\  \  CpX! 

E;  T;  E;  II,  7r  :  s  o  [m,u2\  h"  V  «=  s'  o  [u",u%]  \  C2;X2 
- - - - — — — - @E 

E;  T;  E;  II  b"  atE  R  (7 r.V)  <*=  s'  o  [u",u2]  \C1,C2;X1,X2 


C  =  (E;  T  |=  c) 


E;  T;  E;  II  b1'  consl 


co  [ri!,u2]  \  unsat(C); 


-consl 


E;^;E;nPfl^co  [m,it2]  \C1;I1  E;  T,  c;  E;  II  b"  V  <<=  s'  o  [<,  4]  \  C2;  X2 
E;  T;  E;  II  by  consE  E  V  4=  s'  o  [it^,  «2]  \  Ci,C2;Xi,X2 


consE 


T  =  (S;  E  b  *) 


E;  T;  E;  II  b^  interl 


i  o  [u\,u2]  \  •;  unsat(X) 


interl 


E;  T;  E;  n  b"  E  =►  *  o  [u1:u2\  \  Cx-Xi  S;  T:  E,  i;  II  b"  V  4=  s'  o  K,  u'2]  \  C2;X2  . 


E;  T;  E;  II  b^  interE  E  V  -<=  s7  o  [uy  u2]  \  Ci,C2;Xi,X2 


interE 


Figure  5.3:  PCFS  proof  verification,  part  1 


(a)  A  user  invokes  the  PCFS  proof  verifier  and  provides  to  it  II  (in  the  form  of 
certificates),  V  (which  the  user  has  constructed),  k,  /,  and  rj. 

(b)  The  proof  verifier  reads  T,  and  admin  from  a  protected  location  (see  §7  for  details). 

(c)  Using  procedure  A  of  Theorem  5.9,  the  verifier  tries  to  construct  C  and  I  such 
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S;  T;  E;  II  h"  s  i  o  Vi  4=  [ui,u2]  \C1;11  E;  T;  E;  II  h"  V2  s2  o  [u1,u2]  \C2;X2 
E;  T;  E\  II  h"  conjl  Vi  V2  4=  si  A  s2  o  [ui,u2]  \  Ci,C2;Xi,X2 

R  =>  si  A  s2  o  [ui,  u2]  \  C;  X 
E;  T;  E\  II  h"  con j  El  i?  =>  si  o  \u-[ ,  u2]  \  C;  X  1 

E;  Hi;  E;  II  h"  R  =>  A  s2  o  [ui,u2]  \  C;  X 

- AEo 

E;  T;  E\  II  \~v  conjE2  R  =>  s2  o  [ur,  u2]  \  C;  X 

E;f;£;nPV^=Slo[Ulltt2]\C;I 

-  vll 

E;  T;  X?; IT  P"  disjll  V  4=  s3  V  s2  o  \u\,u2]  \  C;X 

E^i^np  V^=  s2  o  [Ul,«2]  \C;X 

- V  Xo 

E;  T;  _E;II  h"  disjI2  V  4=  Si  V  s2  o  [iti,u2]  \  C;X 

E;  T;  E;  II  h"  R  =>  si  V  s2  o  [«! ,  u2]  \  Ci ;  T\ 

E;  T;  £?;  II, tt\  :  s3  o  [u\,u2\  P"  Vi  4=  s'  o  [w'u  w2]  \  C2;T2 

E;\E';£’;II,7r2  :  s2  o  [ui,u2]  P"  V2  -4=  s'  o  [ui,u'2]  \C3;X3 

- \/  K 

S;  T;  X1;  II  P"  disjE  i?  (7Ti.Vi)  (7t2.V2)  4=  s'  o  [ui,u2]  \  Ci,C2,C3;Xi,X2,X3 

_ TI  E;f;£;nPii^lo[Ml,M2]\C;X 

E;  'll;  E\  II  P"  topi  4=  T  o  [ui,u2]  \  •;  •  E;  T;  E\  II  P"  botE  R  4=  s  o  [w'j ,  u2\  \  C\  X 


E,  uptime,  £2:time;  T,  Mi  <  x±,  x2  <  u2]  E;  II,  tt  :  s3  o  \x\,  x2]  P"  V  4=  s2  o  [x\,x2]  \  C;X 
E;  T;  E;  II  P"  impl  (xi.a;2.7r.V)  4=  s3  D  s2  o  [u\,u2\  \  C;X 


Dl 


E;  T;  E;U\-"  R  =>  s3  D  s2  o  [ui,u2]  \  C-, ; X, 

E;  E-  n  \-v  V  4=  si  o  K,u'2]  \C2;X2  C  =  (E;$h«i<  «i),(E;$  b  <4  <  u2) 
E;  T;  E\  II  P"  impE  R  V  u\  u2  =>  s2  o  [u\,  u2]  \  Ci,C2,  unsat  (C);Xi,X2 


DE 


E,  x:ij:  T;  E\  II  P"  V  4=  s  o  [ui,  u2]  \  C;  X 
E;  T;  E\  II  P"  foralll  ( x.V )  :  \/x<=a.s  o  [ui,u2]  \  C;  X 


VI 


E;  T;  E\  II  h1'  R  =>  \/x:a.s  o  [iii,u2\  \  C;X  E  h  t  :  cr 

- VE 

E;  T;  E;  II  h1'  f  orallE  t  R  =>  s[t/x\  o  [u\,u2\  \  C;  X 


E;  T;  E;  II  h"  V  4=  s[t/x]  o  [wi,w2]  \C;X  Ehi:  ct 
E;  T;  E\  II  h"  existsl  t  V  4=  3x:cr.s  o  [wi,u2]  \  C;X 


E;  T;  E;  II  h"  I?  =>  3x:cr.s  o  [ui,  u2]  \  C3;  X3 

E,  x:a:  T;  E;  II,  7r  :  so  [ui,  u2]  h"  V  4=  s'  o  [u'l5  u'2]  \  C2;X2 

- 3E 

E;  T;  E\  II  \-v  existsl  (x.tt.V)  4=  s'  o  [m'1;  u2]  \  Ci,  C2;  X3,X2 


Figure  5.4:  PCFS  proof  verification,  part  2 
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that  X,  ctime:time;  •;  •;  II  \-v  V  -4=  admin  says  (may  k  f  rf)  o  [ctime,  ctime]  \  C;X, 
where  ctime  is  a  distinguished  constant  that  the  back  end  recognizes  and  v  is  a 
view  made  of  three  fresh  constants. 

(d)  If  (c)  returns  an  error,  then  verification  fails. 

(e)  If  (c)  produces  C  and  X,  then  the  verifier  issues  to  the  user  a  procap  that  contains 
the  access  right  (k,  /,  rf)  as  well  as  the  conditions  C  and  X  and  signs  it  with  a 
secret  key  known  only  to  it  and  the  PCFS  back  end.  The  procap  is  placed  in  the 
procap  store  by  the  user  (see  §2). 

2.  In  the  back  end: 

(a)  During  an  access  on  file  /  by  principal  k  that  requires  permission  77,  the  PCFS 
back  end  reads  the  procap  generated  in  step  1(e)  from  the  procap  store,  and 
parses  out  C  and  X. 

(b)  For  each  hypothetical  constraint  S',  ctime:time;  |=  d  in  C,  the  PCFS  back  end 
checks  that  X7;  \k/['u/ctime]  |=  d[u/ ctime]  holds,  where  u  is  the  time  of  access. 

(c)  For  each  hypothetical  state  S',  ctime:time;  E'  \=  i!  in  X,  the  PCFS  back  end  checks 
that  T!;E,E'[u/ ctime]  |=  i'[u/ ctime]  where  E  is  the  system  state  prevailing  at 
time  u. 

(d)  If  all  checks  in  2(b)  and  2(c)  succeed,  then  access  is  allowed,  else  it  is  denied. 

5.2.2  Correctness  of  PCFS  Proof  Verification 

What  we  seek  to  establish  now  is  that  the  PCFS  proof  verification  procedure  summarized 
at  the  end  of  §5.2.1  is  both  sound  and  complete.  We  state  soundness  and  completeness  of 
proof  verification  in  PCFS  with  respect  to  particular  proofs  that  the  user  provides.  For 
soundness  we  wish  to  show  that  successful  execution  of  step  1(c)  with  a  proof  term  V, 
followed  by  successful  execution  of  steps  2(b)  and  2(c)  on  the  procap  derived  from  it  implies 
that  X;  •;  E;  H\~v  V  -4= =  admin  says  (may  k  f  rf)  o  \u ,  u\.  Dually,  completeness  means  that  if 
X;  •;  E ;  II  \~u  V  <=  admin  says  (may  k  f  rf)  o  [it,  u ],  then  given  II  and  V  as  inputs,  the  proof 
verifier  will  successfully  execute  to  produce  conditions  C  and  X,  which  will  then  successfully 
check  in  the  PCFS  back  end  at  time  u  in  system  state  E  according  to  checks  2(b)  and 
2(c).  Soundness  follows  immediately  from  the  following  lemma  about  the  inference  system 
of  Figures  5.3  and  5.4. 

Lemma  5.10  (Soundness).  Suppose  that  the  following  hold  for  some  C,  X,  list  x  of  term 
variables,  list  a  of  sorts,  list  to  of  terms  satisfying  X  h  to  :  a,  and  system  state  Eq  not 
containing  any  element  of  x. 

1.  For  each  (X',X  :  <7;  vF  |=  d)  E  C,  it  is  the  case  that  X';  \F[to/X]  |=  c'[to/x\. 

2.  For  each  (X',  x  :  if;  E'  \=  i')  E  X,  it  is  the  case  that  X';  Eq,  E'[to/x]  |=  i'[to/x\. 

Then, 
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A.  E,  x  :  (T;  'L;  E]Ii\~u  V  -4=  s  o  [u\,uj^  \C,1  implies  S;  ^[fo/af];  Eg,  E[tg/x\]  H[tg/x\ 
\rv[to/x\  V[tg/x]  4=  s[tg/x\  O  [ui[f0  /  x\ ,  U2[f0  /  x}\ 

B.  E,  x  :  <7;  \h;  Pi;  II  \-p  R  ==>  s  o  [14,  ?x2]  \  C;T  implies  E;  ’Pffo/al];  -Em  Pi[to/®];  n[^o/^] 

i?[to/f]  =>  s[fo/x]  o  [ui[f0/x\,u2[to/x\] 

Proof.  By  simultaneous  induction  on  the  derivations  given  in  A  and  B  and  case  analysis  of 
their  last  rules.  See  Appendix  C,  Lemma  C.3  for  some  representative  cases.  □ 

Theorem  5.11  (Soundness  of  PCFS  verification).  Suppose  that  the  following  hold  for  some 
time  point  u  and  some  ground  system  state  E. 

1.  E, ctimeitime;  ■;  •;![  \~u  V  4=  s  o  [ctime, ctime]  \C;Z  for  a  fresh  constant  ctime  that 
does  not  occur  in  E,  II,  V ,  and  s. 

2.  For  each  hypothetical  constraint  (E7,  ctime:time;  'I'7  \=  c')  G  C  it  is  the  case  that 
E7;  'L7['u/ctime]  |=  c7[u/ctime]. 

3.  For  each  (E7,  ctimeitime;  E'  \=  i')  e  1  it  is  the  case  that  E7;  E,  E'[u/ct\me]  \=  i7[rt/ctime] . 
4-  E  P  u  :  time. 

Then  E;  •;  E\  II  \~v  V  <^=  s  o  [ u ,  u] . 

Proof.  This  theorem  is  a  specific  instance  of  Lemma  5.10(A).  □ 

By  choosing  u  to  be  the  time  of  access,  E  to  be  the  system  state  prevalent  at  time  u, 
and  s  to  be  admin  says  (may  k  f  rj),  the  assumptions  (1)— (3)  in  the  statement  of  the  theorem 
correspond  exactly  to  the  steps  1(c),  2(b),  and  2(c)  in  the  summary  at  the  end  of  §5.2.1, 
and  therefore,  this  theorem  is  indeed  a  statement  of  the  soundness  of  the  PCFS  two-part 
verification  procedure. 

Dual  to  soundness,  the  next  theorem  shows  that  the  PCFS  verification  method  is  com¬ 
plete  in  the  sense  described  at  the  beginning  of  this  section. 

Theorem  5.12  (Completeness  of  PCFS  verification).  Suppose  that  E;  •;  E\Ii\~v  V  4= =  s  o 
\u,u].  Let  ctime  be  a  fresh  constant.  Then  there  exist  C  and  T  such  that  the  following  hold. 

1.  E,  ctime:time;  •;  •;  II  h77  V  <^=  s  o  [ctime,  ctime]  \  C:T. 

2.  For  each  (E7,  ctimeitime;  ^t7  (=  c7)  E  C,  it  is  the  case  that  E7;  ^'[w/ctime]  |=  c7[u/ctime]. 

3.  For  each  (E7,  ctime:time;  E'  | =  i')  £l,  it  is  the  case  that  T,';  E,  E'[u/ ct\me]  \=  z7[it/ctime] . 

Proof.  See  Theorem  C.5  in  Appendix  C.  The  proof  is  based  on  a  converse  of  Lemma  5.10, 
which  is  also  presented  in  Appendix  C.  □ 
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Clause  (1)  of  this  theorem  states  that  the  offline  proof  verifier  of  PCFS  will  always  suc¬ 
ceed  in  checking  the  structure  of  a  proof  that  is  valid  at  some  time  u  in  some  system  state 
E.  Clauses  (2)  and  (3)  imply  that  the  conditions  generated  by  the  verifier  will  successfully 
check  in  the  back  end  at  time  u  in  system  state  E  to  allow  access.  A  practically  useful  con¬ 
sequence  follows  from  a  combination  of  this  theorem  with  time  subsumption  (Theorem  5.5): 
If  X;  •;  E\  II  V  -4=  s  o  \u\,u^  for  some  time  interval  [iti,  f/2],  then  the  conditions  C  and 
X  resulting  from  the  verification  of  V  can  be  successfully  checked  at  any  time  point  u  in  the 
interval  [111,112]  (provided  that  the  state  E  holds  at  u).  As  a  result,  the  proof  verifier  needs 
to  be  invoked  only  once  for  each  proof  term  and  the  procap  generated  from  it  can  be  used 
again  and  again  over  the  entire  interval  of  time  for  which  the  proof  term  authorizes  access. 

5.2.3  Procaps 

A  procap,  is  a  cryptographic  token  issued  by  the  proof  verifier  after  it  successfully  checks 
a  proof.  It  allows  a  single  user  a  specific  permission  on  one  file  or  directory.  Formally,  a 
procap  is  a  six-tuple  (k,  f,  77,  C,  X,  sig)  where 

-  k  is  the  principal  who  is  authorized  access  by  the  procap. 

-  /  is  the  file  or  directory  to  which  access  is  authorized. 

-  r/  is  the  permission  allowed  (PCFS  uses  five  permissions  -  read,  write,  execute,  identity, 
and  govern). 

-  C  is  the  multiset  of  hypothetical  constraints  on  which  the  procap  is  conditional;  they 
may  contain  the  symbolic  constant  ctime. 

-  X  is  the  multiset  of  hypothetical  states  on  which  the  procap  is  conditional. 

-  sig  is  a  cryptographic  signature  over  the  first  five  elements  of  the  tuple,  created  using  a 
symmetric  key  known  only  to  the  proof  verifier  and  the  PCFS  back  end.  The  signature 
prevents  forging  of  procaps. 

The  procap  {k,  f,  rj,C,I,  sig)  is  issued  by  the  proof  verifier  in  the  front  end  whenever  it 
successfully  checks  that  the  judgment  X,  ctime:time;  •;  ■;  II  \~u  V  <= =  admin  says  (may  k  f  rj)  o 
[ctime,  ctime]  \  C;X  can  be  established.  In  order  to  use  a  procap,  the  back  end  must  verify 
its  cryptographic  signature  sig,  and  check  its  conditions  C  and  X  according  to  steps  2(b) 
and  2(c)  listed  at  the  end  of  §5.2.1. 

Procaps  are  central  in  PCFS  since  they  carry  information  about  access  rights  (k,  f,r /), 
as  well  as  conditions  C  and  X  on  which  the  rights  are  contingent,  from  the  proof  verifier 
in  the  front  end  to  the  reference  monitor  in  the  back  end.  In  fact  the  structure  of  procaps 
is  the  only  entity  in  PCFS  that  the  front  end  and  back  end  must  agree  on.  Other  than 
that  the  two  parts  of  PCFS  are  totally  independent.  The  set  of  all  valid  procaps  in  a  PCFS 
system  can  also  be  considered  a  cache  of  proofs  that  have  been  verified,  even  though  procaps 
differ  from  traditional  caches  in  that  procaps  can  be  individually  distributed  and  they  are 
conditional  on  system  state  and  time. 
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5.2.4  Revocation  of  Policy  Rules 

So  far  we  have  assumed  implicitly  that  any  policy  rules  (II)  in  effect  at  the  time  of 
proof  verification  in  the  front  end  are  also  in  effect  at  the  time  of  access.  This  assump¬ 
tion  is  manifest  in  Theorems  5.11  and  5.12  since  the  hypotheses  II  in  the  two  judgments 
X,  ctime:time;  •;  ■;  II  \~u  V  <=  s  o  [ctime,  ctime]  \C;1  and  X;  ■;  E;  Ii\~v  V  <==  s  o  [it,  u]  in 
the  statements  of  the  theorems  are  identical.  Practically,  this  translates  to  the  assumption 
that  a  policy  rule  once  issued  can  never  be  revoked  or  canceled,  except  perhaps  due  to 
expiration  at  the  time  mentioned  in  the  rule  which  is  handled  automatically  by  the  BL  in¬ 
ference  system.  In  reality,  a  policy  rule  may  be  issued  in  error,  and  therefore,  a  mechanism 
for  untimely  revocation  is  essential.  In  this  section  we  discuss  a  straightforward  mechanism 
for  enforcing  revocation  in  the  PCFS  architecture.  Although  not  supported  in  the  current 
implementation  of  PCFS,  it  can  be  easily  added. 

Let  us  assume  that  revoked  policy  certificates  are  explicitly  available  to  the  PCFS  back 
end  as  a  list.  This  is  not  an  unreasonable  assumption  since  most  existing  certificate  schemes 
allow  for  such  lists,  often  called  Certificate  Revocation  Lists  (CRLs).  (The  issue  of  who  can 
create  the  entries  in  such  a  list  is  orthogonal  to  our  description  of  enforcement  of  revocation; 
usually  the  creator  of  a  certificate  is  allowed  to  revoke  it.)  Both  formally  and  in  practice, 
a  CRL  can  be  represented  as  a  list  TZ  =  tt\  , . . . ,  7rn  of  proof  variables  that  name  revoked 
policy  rules.  Assuming  that  the  CRL  available  to  the  PCFS  back  end  is  always  current, 
revocation  may  be  enforced  in  PCFS  using  the  following  two-step  procedure. 

Rl.  At  the  time  of  proof  verification,  the  PCFS  verification  tool  writes  the  list  C  of  all 
proof  variables  that  appear  free  in  the  proof  term  V  it  checks  into  the  procap  it 
generates  (£  becomes  an  additional  condition  like  C  and  X). 

R2.  Before  accepting  any  procap,  the  back  end  of  PCFS  checks  that  C  n  TZ  =  cf,  where  C 
is  the  list  of  proof  variables  included  in  the  procap  and  7 Z  is  the  CRL  available  to  the 
back  end. 

To  show  that  this  two-step  procedure  implements  revocation  soundly,  it  suffices  to  es¬ 
tablish  that  whenever  a  procap  is  accepted  by  the  back  end  of  PCFS,  it  is  the  case  that  the 
proof  term  from  whose  checking  the  procap  was  derived  can  also  be  checked  in  a  hypotheses 
that  is  valid  at  the  time  the  procap  is  accepted.  To  establish  this  result,  we  need  a  few 
definitions  and  a  lemma. 

Definition  5.13.  Define  II\7v!.  to  be  the  hypotheses  { (7r  :  J)  G  II  |  n  0  1Z}. 

Definition  5.14.  fpv(V)  and  fpv(R)  denote  the  sets  of  proof  variables  occurring  free  in 
V  and  R  respectively. 

Lemma  5.15  (Strengthening).  The  following  hold. 

A.  //X;$;P;nrL^so  [ui,u2]  \C;X  and  f  pv(R)  D  TZ  =  4>,  t/ienX;^;£;  U\TZhu 
V  <=  s  o  [ui,u2\  \  C;Z. 

B.  If  X;  T;  E\  II  \~v  R  = =>■  s  o  [u\,u2]  \  C;Z  and  fpv(R)  Cl  1Z  =  <f>,  then  X;  'L;  E;  II\7£  \~v 
R  =>  s  o  [ui,u2]  \  C;T. 
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Proof.  By  simultaneous  induction  on  derivations  given  in  A  and  B  and  case  analysis  of  their 
last  rules.  □ 

Theorem  5.16  (Soundness  of  revocation  enforcement).  Suppose  that  a  procap  obtained  by 
verifying  S;  IT  \~u  V  <=  s  o  [ui,u2]  \  C;Z  is  accepted  by  the  PCFS  back  end.  Then 
there  is  a  hypotheses  II7  valid  when  the  procap  is  accepted  such  that  E;  n7  \~u  V  -4=  s  o 
\ui,u2]  \  C]l. 

Proof.  Let  1Z  be  the  revocation  list  when  the  procap  is  accepted,  and  let  C  =  fpv(V).  Since 
step  R2  must  execute  successfully  in  order  for  the  procap  to  be  accepted,  it  follows  that 
C  n  1Z  =  4>,  or  equivalently,  fpv(V)  n  7 Z  =  (f>.  Hence  by  Lemma  5.15(A),  E;  •;  -;n\7^  \-v 
V  -4=  s  o  [u\,u2]  \  C\l.  Choose  n7  =  n\7£.  Due  to  our  assumption  that  the  CRL 
available  to  the  back  end  is  current,  every  hypothesis  in  n7  must  also  be  valid  when  the 
procap  is  accepted.  □ 

To  show  that  the  enforcement  of  revocation  is  complete,  we  must  argue  that  the  procap 
generated  from  verification  of  a  proof  term  will  be  accepted  by  the  PCFS  back  end  if  no 
proof  variables  occurring  in  the  proof  term  have  been  revoked  (and  the  other  conditions  C 
and  T  of  the  procap  hold).  This  is  trivially  true  -  if  no  proof  variables  occurring  in  the 
proof  term  have  been  revoked,  then  C  n  7Z  in  step  R2  is  by  definition  of  C  and  7 Z. 


5.3  Proof  Terms  from  the  Sequent  Calculus 

Even  though  we  have  discussed  proof  terms  for  natural  deduction  so  far,  it  is  reasonable  to 
expect  that  any  automated  proof  search  tool  for  BL  will  be  based  on  the  sequent  calculus 
of  §4.2.4  (this  includes  the  proof  search  tool  provided  with  PCFS;  see  §6).  The  objective 
of  this  section  is  to  explain  how  proof  terms  may  be  derived  from  a  sequent  calculus  proof. 
Given  that  there  are  constructive  proofs  which  show  both  that  the  sequent  calculus  can  be 
simulated  in  natural  deduction  (Theorem  4.14)  and  that  proof  terms  can  be  assigned  to 
natural  deduction  proofs  (Theorem  5.3),  a  procedure  to  derive  proof  terms  from  sequent 
calculus  proofs  may  be  obtained  simply  by  composing  the  proofs  of  the  two  theorems. 
However,  keeping  in  mind  that  such  a  procedure  is  central  to  the  implementation  of  proof 
search  tools,  it  is  useful  to  understand  the  composed  procedure  in  the  simplest  terms.  This 
is  precisely  the  objective  of  this  section  -  it  describes  a  direct  assignment  of  proof  terms  to 
sequent  calculus  proofs,  without  a  detour  into  natural  deduction. 

The  direct  assignment  of  proof  terms  to  sequent  calculus  proofs  is  described  as  a  new 
inference  system,  which  only  adds  proof  annotations  to  the  sequent  calculus  of  Figures  4.4 
and  4.5.  This  annotated  sequent  calculus  is  shown  in  Figures  5.5  and  5.6.  Its  hypothetical 
judgment,  called  an  annotated  sequent,  has  the  form  E;  tH;  E\  n  A  V  :  s  o  [u\,u2].  The 
rules  of  the  annotated  sequent  calculus  correspond  one-to-one  with  the  rules  of  the  sequent 
calculus  and  preserve  the  structure  of  the  latter.  Proof  terms  are  constructed  using  the 
following  general  rules. 

-  For  a  sequent  calculus  proof  ending  in  a  right  rule,  a  proof  term  is  obtained  using  the 
corresponding  introduction  constructor  of  checkables  (e.g.,  rule  (saysR)). 
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E;  T  |=  u'i  <  lii  E;  T  |=  zz2  <  zt2 
E;  T;  E]  II,  7r  :  p  o  [u^,  u'2]  n  :  p  o  [ui,  u2] 


init 


E;  T;  E;  II,  n  :  k  claims  s  o  [zq,  zt2],  t  :  s  o  [zq,  zz2]  -^h:ro  [ztj,  zj2] 

^  =  V,  it6,  zte  E;  T  |=  zq  <  Ub  S;  T  |=  ue  <  zz2  E;  T  |=  k  >z  k! 
- claims 


E;  T;  E\  II,  zr  :  k  claims  s  o  [zq,  zz2]  V[7t/t]  :  r  o  [«(,  zt2] 

-saysR 


E;  T;  F;  II |  Ml’"2>  V  :  s  o  [zq,  u2\ 


E;  T;  E\  II  saysl  V  :  k  says  so  [zq ,  zz2] 

E;  T;  E;  II,  7r  :  fc  says  s  o  [zq,u2],r  :  k  claims  s  o  [zq,  zt2]  V  :  r  o  [zq,  u2] 
E;  T;  II,  7r  :  fc  says  s  o  [zq,  zz2]  T*  saysE  n  (t.V)  :  r  o  [ztj,  zz2] 


saysL 


E;  E-,  II  V  :  s  o  [zq ,  zx2] 

E;  T;  1?;  II  atl  V  :  s  @  [zq,  zz2]  o  [zzj,  zt2] 


@R 


E;  T;  E\  II,  zr  :  s  @  [ztq  zt2]  o  [zq,  zt2],r  :  s  o  [zzj,  zt2]  ^  V  :  r  o  [u'{,  zt2] 
E;  T;  E;  II,  zr  :  s  @  [zz(,  u2]  o  [zq,  zz2]  atE  7r  (r.  V)  :  r  o  [it",  u2] 

E;  T  |=  c 


@L 


E;  T;  E;  II  consl  :  c  o  [zq,  zt2] 


consR 


E;  T,  c;  -E1;  II,  zr  :  c  o  [zq,  zt2]  — *  V  :  r  o  [ztj,  zt2] 

- - - consL 

E;  T;  E;  II,  zr  :  c  o  [zt1;  zt2]  — »  consE  tt  V  :  r  o  [ztj,  zt2] 


E;£  |=  i 


E;  T;  E;  II  interl  :  i  o  [zq,  zz2] 


interR 


E;  \P ;  £7, «;  n,  7r  :  i  o  [zq ,  zt2]  V  :  r  o  [zz^ ,  zz2] 

E;  T;  E;  II,  zr  :  z  o  [zq,  zt2]  interE  n  V  :  r  o  [zzj,  zz2] 


interL 


Figure  5.5:  Annotated  sequent  calculus,  part  1 


-  If  a  sequent  calculus  proof  ends  in  a  left  rule  then  the  proof  term  is  obtained  by  naming 
the  component(s)  of  the  principal  judgment  by  new  variable(s)  in  the  premises  and 
either  substituting  these  variables  in  the  conclusion  (e.g.,  the  rule  (AL))  or  binding 
the  new  variables  (e.g.,  the  rule  (saysL)),  in  each  case  with  an  elimination  constructor 
for  proof  terms. 

The  rules  of  Figures  5.5  and  5.6  do  not  mention  the  constructor  check.  Since  check  is 
the  only  constructor  that  takes  a  formula  as  an  argument,  it  follows  that  any  proof  term 
constructed  from  a  sequent  calculus  does  not  contain  any  formula  as  an  annotation.  We 
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E;  T;  E1;  II  -h>  Vi  :  si  o  [ui,u2]  E;  T;  E;  II  V2  :  s2  °  [«i,  u2] 


AR 


E;  T;  E\  II  — »  conjl  V\  V2  :  Si  A  s2  o  [iq,  u2] 

E;  T;  E;  II,  tt  :  Si  A  s2  o  [ui,  u2],  n  :  Si  o  [«i,u2],  r2  :  s2  o  [«i,  u2]  h  1/  :  r  o  [u1}u2] 
£;  T;  U;  II,  7r  :  si  A  s2  o  [ui,u2]  V[(conjEl  7r)/ri][(conjE2  7t)/t2]  :  r  o  [i/i,u2] 

£;  T;  E\  II  V  :  si  o  [u\,  u2]  £;  T;  E\  II  y  :  S2  o  [iq,  u2] 


AL 


£;  T;  E;  II  — »  disj  II  V  :  Si  V  s2  o  [iq,  u2] 


-VRi 


£;  T;  E\  II  — »  disjI2  V  :  Si  V  s2  o  [iq,  u2] 


E;  T;  II,  7r  :  si  V  s2  o  [rq,«2],  n  :  Si  o  [tq,  u2\  -r  Vi  :  r  o  [ii'i,  u2] 

E;  T;  E;  II,  tt  :  si  V  s2  o  [iq,  u2],  r2  :  s2  o  [iq,  u2]  V2  :  r  o  [u'i,  u'2] 

E;  T;  E;  II,  7r  :  si  V  s2  o  [iq,u2]  -h>  disjE  7r  (n.Vi)  (r2.V2)  :  r  o  [ui,u2] 

TR 


-VL 


DR 


OL 


E;  T;  E;  II  — »  topi  :  T  o  [iq,  u2]  E;  it;  E;  II,  n  :  J_  o  [tq,  u2]  — >  botE  tt  :  r  o  [u^,  u'2] 

E,  aq:time,  a;2:time;  T,  tq  <  aq,  X2  <  u2;  E;  II,  7r  :  si  o  [x\,  a;2]  V  :  s2  o  [sq,  a;2] 

E;  T;  15;  II  impl  (aq.aq.7r.V)  :  si  D  s2  o  [tq,  u2] 

E;  T;  E;  II,  tt  :  si  D  s2  o  [tq ,  tt2]  Vi  :  Si  o  [tt^ ,  t/2] 

E;  T;  E\  II,  tt  :  s\  D  s2  o  [tq,  u2],t  :  s2  o  [tt'i,  t/2]  V2  :  r  o  [tt",  t/2] 

E;  T  |=  tq  <  u\  E;  T  |=  u'2  <  w2 

E;  T;  E\  II,  7r  :  Si  D  s2  o  [tq,u2]  V2[(impE  7r  Vi  tr'i  t/2)/r]  :  r  o  [t/1',t/2] 

E,  x:cr;  T;  E1;  II  V  :  s  o  [tq,  w2] 

- s - VR 

E;  T;  E\  II  — >  f  oralll  (x.V)  :  \/x:a.s  o  [tq,  ti2] 

E;  T;  U;  II,  7r  :  \/x:a.s  o  [tq,  ti2],r  :  s[t/x]  o  [tq,  tt2]  ^  V  :  r  o  [wi,  m2]  Ehi:<r 
E;  SR ;  E\  II,  tt  :  \/x:a.s  o  [tq,  it2]  V[(f  orallE  t  tt)/t]  to  [ui,  tt2] 

E;  T;  E\  II  —>  V  :  s[t/x\  o  [tq,  tt2]  E  b  t  :  a 

- v - 3R 

E;  T;  E\  II  — >  existsl  t  V  :  3x:a.s  o  [iti,  u2] 

E,  x:a;  SR ;  JE;  II,  7r  :  3x:a.s  o  [ui,u2],  r  :  s  o  [ui,  u2]  V  :  r  o  [u\,  u'2} 


-  J_L 


VL 


E;  T;  E\  II,  tt  :  3 x:a.s  o  [ui,  u2]  existsE  (x.r.V)  :  r  o  [it^,  m'2] 


3L 


Figure  5.6:  Annotated  sequent  calculus,  part  2 


VR2 
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make  a  similar  observation  for  proof  terms  derived  from  canonical  proofs  in  §5.4. 

If  all  proof  variables  and  proof  terms  are  erased  from  a  derivation  in  the  annotated 
calculus,  then  a  correct  sequent  calculus  derivation  is  obtained.  Dually,  given  a  sequent 
calculus  derivation,  it  is  easy  to  annotate  it  with  proof  terms  following  the  rules  of  Figures  5.5 
and  5.6.  These  observations  are  formalized  in  the  following  two  theorems. 

Theorem  5.17  (Soundness).  If  X;  T;  E]  II  A-  V  :  s  o  \u\,U2\,  then  X;'L;£,;|II|  A  s  o 
[ui,u2\- 

Proof.  By  induction  on  the  given  derivation  of  X;  \L;  E\  II  —>  V  :  s  o  [u\,  U2].  The  idea  is  to 
systematically  erase  all  proof  variables  and  proof  terms  from  the  given  derivation.  □ 

Theorem  5.18  (Completeness).  If  X;\L;  E;T  —>  s  o  [u\,u2]  and  |  IT|  =  T,  then  there  is  a 
checkable  V  such  that  X;  \L;  E;  II  A  V  :  s  o  [u\,  u2}. 

Proof.  By  induction  on  the  given  derivation  of  X;  \L;  E;  T  Aso  [rq,  u2].  □ 

Further,  every  proof  term  constructed  by  the  annotated  sequent  calculus  is  “correct”  in 
the  sense  that  it  can  be  checked  using  the  rules  of  Figures  5.1  and  5.2. 

Theorem  5.19  (Correctness).  If  X;  \L;  E;  II  A  V  :  s  o  [ui,u2],  then  X;  \T;  TP;  II  \~v  V  -4= 
s  o  [ui,u2]. 

Proof.  By  induction  on  the  given  derivation  of  X;  \L;  E-,  II  —>  V  :  so  [rq,^]  and  case 
analysis  of  its  last  rule.  See  Appendix  C,  Theorem  C.6  for  some  representative  cases.  □ 

Theorems  5.18  and  5.19  together  imply  that  the  rules  of  Figures  5.5  and  5.6  constitute 
a  sound  and  complete  proof  term  assignment  system  for  the  sequent  calculus  of  BL.  This 
proof  term  assignment  system  is  used  in  the  proof  search  tool  described  in  §6,  although  for 
simplicity,  that  chapter  does  not  mention  proof  terms.  Also,  Theorems  5.18,  5.19,  and  5.2 
together  provide  another  proof  that  the  sequent  calculus  of  BL  can  be  simulated  in  natural 
deduction  (Theorem  4.14). 

5.4  Proof  Terms  for  Canonical  Proofs 

The  subject  of  this  section  is  orthogonal  to  the  rest  of  the  thesis  and  the  disinclined  reader 
may  skip  it  without  a  break  in  continuity. 

As  observed  in  §5.1,  the  rules  of  Figures  5.1  and  5.2  are  very  similar  to  those  that 
define  canonical  and  atomic  proofs  for  BL  (Figures  4.7  and  4.8).  In  fact  the  proof  term 
calculus  excluding  both  the  proof  term  constructor  check  and  the  rule  (check)  is  a  proof 
term  assignment  for  canonical  and  atomic  proofs.  Precisely,  if  a  derivation  in  the  proof 
term  system  does  not  contain  the  rule  (check),  then  erasing  all  proof  variables  and  proof 
terms,  replacing  each  •  by  •  ff,  and  •  by  •  JJ.  results  in  a  valid  derivation  by  the  rules 
of  Figures  4.7  and  4.8.  Dually,  each  canonical  proof  is  witnessed  by  a  checkable,  and  each 
atomic  proof  by  an  inferable.  These  observations  are  formalized  in  the  following  theorems. 
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Theorem  5.20  (Soundness).  The  following  hold  for  V  and  R  that  do  not  contain  the 
constructor  check. 

1 .  If  X;  T;  E;  U\~u  V  -4=  s  o  [ui,  rt2]  then  X;  T;  E;  |IT|  Pso  [ui,  u2]  fi- 

2.  If  X;  \L;  E;  II  \~v  R  =>  s  o  [«i,  uf\  then  X;  \L;  E ;  |II|  Pso  [ui,  U2}  -IJ-. 

Proof.  By  simultaneous  induction  on  the  given  derivations.  □ 

Theorem  5.21  (Completeness).  Suppose  |II|  =  T.  Then  the  following  hold. 

1.  If  X;\H;  E;T  \~v  s  o  [iti,it2]  fl,  then  there  is  a  checkable  V  such  that  X;  TP;  II  \~v 
V  <=  s  o  [tti,tt2]. 

2.  If  X;\L;  E,T  h"  s  o  [111,112]  1J-,  then  there  is  an  inferable  R  such  that  X;  \T;  TP;  TI  \~v 
R  =>  s  o  [ui  ,u2]. 

Further  the  V  in  (1)  and  the  R  in  (2)  can  be  chosen  such  that  they  do  not  contain  the 
constructor  check. 

Proof.  By  simultaneous  induction  on  the  derivations  given  in  (1)  and  (2).  □ 

Proof  term  normalization.  Given  that  proof  terms  without  the  constructor  check  cor¬ 
respond  to  canonical  and  atomic  proofs,  we  may  define  canonical  and  atomic  proof  terms 
as  follows. 

-  A  checkable  V  is  called  canonical  if  it  does  not  contain  the  constructor  check  in  it. 

-  An  inferable  R  is  called  atomic  if  it  does  not  contain  the  constructor  check  in  it. 

Canonical  proof  terms  are  BL  analogues  of  the  usual  /3-normal  forms  in  the  typed  lambda 
calculus  since  they  cannot  contain  a  /3-redex.  (From  the  syntax  of  proof  terms,  the  principal 
argument  of  every  elimination  constructor  in  a  canonical  proof  term  must  have  at  the  top 
level  an  elimination  constructor). 

Further,  Theorems  5.2,  4.19,  and  5.21  imply  that  any  proof  term  which  witnesses  a 
judgment  can  be  “normalized”.  Suppose  that  V  is  a  checkable  such  that  X;  TP;  IT  \~v 
V  <=  s  o  [ui,tt2].  By  Theorem  5.2,  X;\k;TP;|n|  \~u  s  o  [«i,u2]  and  by  Theorem  4.19, 
X;  ^\E\  |II|  P  so  [m,u2]  j|.  Therefore  by  Theorem  5.21  there  is  a  canonical  proof  term 
V'  such  that  X;  \P;  TP;  TI  \~v  V'  -<= =  s  o  [111,112}.  What  is  more  interesting  here  is  that  the 
proofs  of  Theorems  5.2,  4.19,  and  5.21  can  be  composed  to  obtain  a  normalization  procedure 
that  produces  a  canonical  V'  from  V.  However,  owing  to  our  use  of  admissibility  of  cut  in 
the  proof  of  Theorem  4.19,  this  procedure  is  somewhat  indirect  and  provides  little  insight 
beyond  what  is  already  present  in  the  proofs  of  Theorems  5.2,  4.19,  and  5.21.  Since  we  have 
no  occasion  to  use  the  normalization  procedure  in  this  thesis,  we  do  not  present  it  in  any 
further  detail.  The  same  normalization  result  can  also  be  established  through  reduction 
rules  for  proof  terms. 


133 


Chapter  5.  BL  Proof  Terms,  Their  Verification,  and  Procaps 


5.5  Related  Work 

There  is  a  significant  amount  of  related  work  on  proof  terms  for  intuitionistic  logics,  as  well 
as  a  limited  amount  of  related  work  on  proof  terms  in  the  context  of  authorization.  We 
start  with  a  description  of  the  former  and  then  turn  to  the  latter. 

Broadly  speaking,  our  presentation  of  proof  terms  derives  from  the  well  known  Curry- 
Howard  isomorphism  which  states  that  the  typed  lambda  calculus  is  a  proof  term  assignment 
system  for  intuitionistic  logic  (see,  e.g.,  [72]).  Extensions  of  the  isomorphism  are  known  for 
variants  of  intuitionistic  logics  including  linear  logic  [141]  and  modal  logics  [115],  as  well 
as  for  classical  logic  [75].  More  specifically,  the  bidirectional  style  of  proof  terms  as  well  as 
the  verification  procedures  of  Theorem  5.8  are  based  on  prior  work  on  bidirectional  type 
systems  [117],  and  are  even  more  closely  related  to  Pfenning’s  notes  on  proof  systems  for 
intuitionistic  logic  [114].  In  particular,  the  assignment  of  proof  terms  to  sequent  calculus 
proofs  and  canonical  proofs  of  BL  is  a  generalization  of  similar  work  in  the  latter. 

In  the  context  of  authorization,  DeYoung  investigates  bidirectional  proof  terms  for  rj 
logic  in  his  undergraduate  thesis  [53].  The  syntax  of  proof  terms  presented  in  §5.1  is 
similar  to  and  based  on  that  work.  In  particular,  the  specific  interactions  between  inference, 
checking,  and  explicit  time  in  the  rules  (infer)  and  (check)  of  Figure  5.1  go  back  to  DeYoung’s 
work.  DeYoung  also  describes  an  implementation  of  proof  verification  procedures  analogous 
to  those  in  Theorem  5.8.  The  two-part  verification  procedure  that  PCFS  implements,  its 
formalization,  and  its  correctness  are  all  novel  to  this  thesis.  Since  DeYoung’s  work  was 
not  designed  for  a  realistic  implementation,  it  does  not  discuss  properties  of  proof  terms 
although  it  seems  that  analogues  of  all  properties  from  §5.1.2  should  also  hold  for  proof 
terms  of  rj  logic. 

On  a  more  practical  note,  the  implementation  of  the  authorization  policy  language 
SecPAL  includes  a  proof  visualization  tool  which  can  be  used  to  inspect  graphically  the 
structure  of  an  inference  [23].  The  tool  may  very  useful  for  administrators  and  users,  both 
for  debugging  policies  as  well  as  for  audit. 

Prior  work  by  Chaudhuri  also  considers  mechanisms  for  enforcement  of  authorization 
policies  by  offlining  policy  decisions  and  using  capabilities  to  convey  the  results  of  decisions 
to  the  reference  monitor  [40].  However,  both  policy  decisions  and  capabilities  are  kept  ab¬ 
stract.  While  some  of  the  ideas  in  that  work  are  similar  to  those  in  §5.2.2,  e.g.,  Chaudhuri’s 
correctness  theorems  also  compare  capability  based  enforcement  mechanisms  to  ideal  ones 
where  the  policy  decision  is  made  by  the  reference  monitor,  the  problems  addressed  in  that 
work  and  ours  are  different.  We  work  with  a  fixed  logic  and  show  that  the  process  of  ex¬ 
tracting  conditions  from  proofs  and  checking  them  in  the  back  end  is  sound  and  complete. 
On  the  other  hand,  Chaudhuri’s  work  is  concerned  with  ensuring  that  the  architecture  with 
capabilities  is  observationally  similar  to  that  without  them.  As  a  result,  certain  issues  like 
information  leaks  on  denied  access  are  relevant  in  Chaudhuri’s  work,  not  ours.  Similarly, 
the  effect  of  state  changes  on  policies  is  relevant  only  in  PCFS,  not  Chaudhuri’s  work.  Aside 
from  such  differences,  Chaudhuri’s  work  has  had  a  significant  influence  on  the  high-level 
design  of  PCFS. 
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In  this  chapter  we  discuss  the  theory  and  implementation  of  a  practical  method  for  au¬ 
tomatically  finding  proofs  of  authorization  given  policy  rules  represented  in  our  logic  BL. 
This  method  is  the  basis  of  the  proof  search  tool  pcf  s-search  that  is  included  with  our  file 
system  PCFS  (§7.1).  Broadly  construed,  the  proof  search  method  is  based  on  the  sequent 
calculus  (§4.2.4).  However,  the  sequent  calculus  by  itself  is  too  non-deterministic  to  be 
used  for  proof  search  directly  -  a  proof  of  E;Vl/;.E;r  A  s  o  [ui,u2]  may  be  obtained  by 
applying  either  a  right  rule  to  s,  or  a  left  rule  to  any  of  the  hypotheses  in  T.  This  results 
in  a  large  number  of  choices  at  each  step,  due  to  which  any  proof  search  based  naively  on 
the  sequent  calculus  may  have  to  explore  a  formidably  large  space  of  proofs.  The  approach 
we  follow  in  this  chapter,  called  goal-directed  search,  reduces  this  search  space  significantly 
(goal-directed  search  is  explained  in  §6.1).  To  maintain  completeness  with  respect  to  the 
sequent  calculus,  we  restrict  our  attention  to  an  expressive  fragment  of  BL  called  BL^.  All 
policies  presented  in  this  thesis  lie  in  this  fragment. 

Precisely,  the  problem  we  are  trying  to  address  in  this  chapter  is  that  of  finding  a 
proof  term  V  such  that  S;  ;  TP;  n  \~u  V  <=  s  o  [tti ,7x2],  if  such  a  proof  term  exists.  We 
assume  that  S,  \k,  E,  n,  v,  s,  u±,  and  u2  are  given.  As  discussed  in  §7.1,  these  inputs 
are  obtained  from  various  sources  in  the  PCFS  proof  search  tool.  In  particular,  the  user 
invoking  the  tool  is  responsible  for  providing  s,  u\ ,  rt2,  and  n  (the  latter  is  in  the  form  of 
digital  certificates).  However,  for  simplicity,  we  omit  a  description  of  proof  terms  from  this 
chapter,  and  concentrate  only  on  constructing  the  proof  using  inference  rules.  Proof  terms 
may  be  added  easily  to  the  proof  search  calculus  described  here  using  ideas  from  assignment 
of  proof  terms  to  the  sequent  calculus  (§5.3),  which  is  also  what  pcf  s-search  does. 

The  rest  of  this  chapter  is  organized  as  follows.  In  §6.1  we  present  background  material 
on  goal-directed  proof  search.  §6.2  presents  the  fragment  BL^,  and  the  rules  for  goal-directed 
proof  search.  In  §6.3,  we  prove  that  goal-directed  proof  search  is  sound  and  complete 
with  respect  to  the  sequent  calculus.  §6.4  discusses  implementation-specific  issues  that  are 
relevant  to  the  tool  pcfs-search.  Related  work  is  presented  in  §6.5.  It  is  important  to 
clarify  that  the  method  of  proof  search  presented  in  this  chapter  is  not  a  decision  procedure, 
since  BLc  is  not  decidable.  Completeness  of  proof  search  means  that  there  is  a  non- 
deterministic  strategy  within  the  confines  of  the  formal  rules  of  goal-directed  proof  search 
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that  will  find  a  proof  if  one  exists.  The  strategy  may  be  determinized  using  breadth-first 
search,  thus  making  proof  search  a  semi-decision  procedure,  although  this  is  often  slow  in 
practice,  so  pcfs-search  uses  depth-first  search  with  backtracking  instead. 

We  advise  readers  to  revisit  the  sequent  calculus  for  BL  presented  in  §4-2-4  before  reading 
the  rest  of  this  chapter. 

6.1  Background:  What  Is  Goal-directed  Proof  Search? 

The  term  “goal”  refers  to  the  formula  in  the  conclusion  of  a  sequent  that  we  wish  to 
establish  through  proof  search.  Precisely,  the  goal  of  X;Ux;.E;r  A  s  o  [it  1,142]  is  s.  By 
goal-directed  search  we  mean  a  backwards1  search  for  a  proof  which  proceeds  at  each  step 
by  decomposing  the  goal  of  the  sequent,  in  accordance  with  the  right  rules  of  the  sequent 
calculus.  Other  rules  are  used  only  when  the  goal  is  atomic  (in  the  specific  case  of  BL, 
only  when  the  conclusion  has  the  form  p  o  [111,112]).  For  example,  to  find  a  proof  of 
X;  \F;  E\  T  A  si  A  S2  0  [xxi,  U2},  goal-directed  search  would  try  to  find  proofs  of  X;  \F;  E-,  T  A 
si  o  [14,1x2]  and  X;\F;_E;r  A  s2  0  [1x1,142],  and  then  combine  them  with  the  rule  (AR). 
Similarly,  to  find  a  proof  of  X;\F;.E;r  — »  si  V  S2  o  [1x1,112]  goal-directed  search  would  try 
to  find  a  proof  of  X;  \F;  E;T  A  sr  o  [1x1,14],  and  if  it  fails,  it  would  try  to  find  a  proof  of 
X;  ’F;£,;P  — ►  S2  0  [«i,i42]-  (The  attempts  could  also  be  made  in  the  other  order.)  If  either 
case  succeeds  the  proof  would  be  completed  using  the  corresponding  rule  (VLi)  or  (VL2), 
else  the  proof  search  would  fail. 

If  the  goal  is  atomic,  or  more  precisely  the  conclusion  has  the  form  p  o  [141,1x2]  in  BL, 
then  goal-directed  search  proceeds  by  backchaining.  The  idea  of  backchaining,  based  on 
languages  like  Prolog,  is  to  pick  a  suitable  hypothesis  s'  o  \u\ .  u'2]  G  T  and  to  use  it  to 
find  a  list  of  judgments  J  such  that  provability  of  X;  \R;  T  A  J  for  each  J  G  J  implies 
provability  of  X;\F;i?;r  Apo  [141,1x2].  The  elements  of  J  are  often  called  subgoals.  The 
proof  search  procedure  then  tries  to  find  proofs  of  subgoals  recursively,  which,  if  successful, 
entail  provability  of  X;  \F;  E;  T  Apo  [ixi ,  1x2]-  Formal  rules  for  finding  J  given  s'  o  [u\ ,  u'2] 
and  p  o  [i4i,  142]  are  loosely  based  on  the  left  rules  of  the  sequent  calculus,  but  the  connection 
between  the  two  is  not  as  strong  as  the  connection  between  the  right  rules  of  the  sequent 
calculus  and  the  rules  for  decomposing  goals  in  goal-directed  search.  Backchaining  for  BL 
is  covered  in  §6.2. 

Whereas  goal-directed  search  constrains  non-determinism  in  the  sequent  calculus  sig¬ 
nificantly,  and  is  both  easy  to  formalize  and  simple  to  implement  efficiently,  there  is  an 
important  theoretical  concern  that  must  be  addressed:  Is  goal-directed  search  complete  in 
the  sense  that  if  a  sequent  is  provable  then  goal-directed  search  will  find  a  proof  of  it?  It  is 
quite  easy  to  show  that  this  is  not  true  because  for  certain  kinds  of  goals,  it  is  not  the  case 
that  if  a  sequent  with  the  goal  is  provable,  then  the  sequents  obtained  by  applying  one  of 
the  right  rules  backwards  would  also  be  provable.  For  example,  provability  of  X;  A  A  F  A 

lrThe  adjective  “backwards”  means  that  the  rules  of  the  sequent  calculus  are  applied  from  the  conclusion 
to  the  premises,  thus  constructing  a  proof  from  the  sequent  to  be  proved  towards  the  leaves.  The  other 
possibility,  which  we  do  not  consider  in  this  chapter,  is  to  apply  the  rules  from  premises  to  conclusions.  The 
latter  is  called  the  inverse  method. 
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si  V  S2  o  [ui,U2]  does  not,  in  general,  imply  that  one  of  E;VH;.E;r  ^  si  o  [7/1 ,  1*2]  and 
— >  S2  o  [111,1x2]  is  provable.  Consequently,  goal-directed  search  may  not  always 
succeed  on  a  provable  sequent  whose  goal  has  a  top  level  disjunction  in  it.  Similar  incom¬ 
pleteness  exists  for  the  connectives  _L,  3,  and  says. 

Given  that  goal-directed  search  is  incomplete  for  all  of  BL  (and  similarly  for  all  of  in- 
tuitionistic  logic),  the  next  question  is  whether  there  is  a  useful  fragment  of  the  logic  for 
which  goal-directed  search  is  complete.  The  answer  to  this  question  is  affirmative.  Most 
logics  (including  BL)  have  large  fragments  on  which  goal-directed  search  is  complete.  The 
common  idea  in  these  fragments  is  to  restrict  the  occurrences  of  connectives  in  goals  and 
hypotheses.  Interestingly,  and  perhaps  non-intuitively,  such  restrictions  invariably  imply 
that  whenever  a  sequent  is  provable,  then  the  sequents  obtained  by  applying  backwards 
one  of  the  right  rules  of  the  top  level  connective  of  its  goal  are  all  provable,  thus  making 
goal-directed  search  complete.  As  illustrations,  we  list  below,  in  increasing  order  of  expres¬ 
siveness,  some  previously  investigated  fragments  of  intuitionistic  and  linear  logic  on  which 
goal-directed  search  is  complete. 

-  The  well-known  Horn  fragment  of  first-order  logic,  which  restricts  connectives  in  hy¬ 
potheses  to  atoms,  A,  T,  D,  and  V,  and  those  in  goals  to  atoms,  A,  T,  V,  _L,  and  3 
(see,  e.g.,  [103]).  Prolog  is  based  on  this  fragment. 

-  The  Her  edit  ary-Harrop  fragment,  which  generalizes  the  Horn  fragment  by  allowing  all 
connectives  in  goals  [103].  The  main  difference  between  the  Horn  fragment  and  the 
Heredit ary-Harrop  fragment  is  that  in  the  former  the  hypotheses  do  not  change  during 
proof  search  whereas  in  the  latter  they  may  change  due  to  backwards  applications  of 
the  rule  (dR). 

-  The  linear  logic  programming  language  Lolli  [78],  which  in  addition  to  including  linear 
connectives,  generalizes  the  Heredit  ary-Harrop  fragment  by  allowing  the  linear  ana¬ 
logues  of  the  connectives  V,  _L,  and  3  at  the  top  level  in  hypotheses.  This  fragment 
requires  a  proof  search  procedure  that  is  slightly  more  general  than  goal-directed 
search  proper,  but  still  fits  into  the  general  paradigm  of  “goal-directed”.  Precisely, 
whenever  a  new  hypothesis  is  introduced  using  the  rule  (dR),  its  top  level  V  and  3 
connectives  are  immediately  decomposed  with  left  rules,  after  which  goal  decomposi¬ 
tion  is  resumed. 

Salient  points  about  this  chapter.  The  objective  of  this  chapter  is  to  present  a  frag¬ 
ment  of  BL  for  which  goal-directed  search  is  complete,  explain  formally  via  inference  rules 
goal-directed  proof  search  for  it,  prove  that  the  goal-directed  search  is  both  sound  and  com¬ 
plete  with  respect  to  the  rules  of  the  sequent  calculus  restricted  to  the  fragment,  and  explain 
its  implementation  in  the  proof  search  tool  pcfs-search  included  in  PCFS.  We  call  this 
fragment  BLg>.  It  is  based  on  ideas  from  the  linear  logic  programming  languages  Lolli  [78] 
and  LolliMon  [98] .  Like  Lolli,  the  proof  search  procedure  for  BLc  is  a  slight  generalization 
of  goal-directed  search  proper  (this  generalization  was  described  in  the  third  point  above). 
We  make  three  salient  observations  before  presenting  the  technical  material. 
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First,  despite  its  syntactic  restrictions,  BL q  is  very  expressive.  In  particular,  all  policies 
presented  in  this  thesis,  including  all  policies  of  the  case  study  (§8),  lie  in  BL^. 

Second,  goal-directed  search  is  an  instance  of  a  general  proof  search  technique  called 
focusing  [12].  Although  this  technique  is  compatible  with  BL,  and  may  be  used  to  construct 
a  generic  theorem  prover  for  all  of  BL,  we  refrain  from  doing  so  here  because  such  a  generic 
tool  would  be  needlessly  complicated  and  possibly  slow  because  it  would  have  to  cater  to 
many  cases  that  may  never  arise  in  actual  policies. 

Third,  both  the  connective  says  and  explicit  time,  and  the  latter  in  particular,  increase 
significantly  the  complexity  of  goal-directed  search  as  well  as  the  proof  of  its  soundness 
and  completeness.  As  a  result,  prior  work  on  goal-directed  search  for  other  logics  does  not 
apply  directly,  although  the  methods  described  in  earlier  work  are  certainly  the  basis  of  the 
technical  development  of  this  chapter  [78,  103]. 


6.2  Goal-directed  Proof  Search  in  BL^ 

The  syntax  of  the  fragment  BL^  is  described  below.  Goals  g  are  formulas  that  may  appear 
in  conclusions  of  sequents  in  the  fragment.  They  are  allowed  to  contain  all  connectives. 
Formulas  in  hypotheses  are  divided  into  two  categories:  (1)  Clauses  d  that  contain  only 
uninterpreted  atoms  and  the  connectives  D,  A,  T,  V,  and  @,  and  (2)  Chunks  h  that  may 
contain  clauses  d,  constraints  c,  interpreted  connectives  i,  and  formulas  of  the  form  k  says  d 
at  their  leaves  and  the  connectives  A,  V,  T,  _L,  3,  and  @.  Hypotheses  also  take  two  forms: 
policies  A  that  contain  assumptions  of  the  form  d  o  [ui,u2\  and  k  claims  d  o  [m,U2], 
and  groups  H  that  have  assumptions  of  the  form  h  o  [ui,u2]-  Unlike  all  other  hypotheses 
considered  in  this  thesis  so  far,  a  group  is  an  ordered  list,  not  a  multiset.  We  represent 
groups  using  familiar  notation  for  lists  -  []  denotes  an  empty  group,  and  S  ::  {h  o  [tq ,  U2]) 
denotes  the  group  obtained  by  adding  h  o  [tq,  it2]  to  the  end  of  S. 


Goals  g 

Clauses  d 
Chunks  h 


p  |  c  |  i  |  gi  A  g2  \  gi  V  g2  \  h  D  g  |  T  |  _L  |  Vx:cr.g  \  3x:a.g  \ 
k  says  g  \  g  @  [ui,u2] 

p\diAd2\T\gDd  \  \/x:a.d  \  d  @  [ui,u2] 
d  |  c  |  i  |  h\  A  h2  |  h\  V  h2  |  T  |  _L  |  3x:a.h  \  k  says  d  \  h  @  [rq,  u2] 


Policies  A 
Groups  H 


•  |  A,  d  o  [ui,u2]  |  A,  k  claims  d  o  [tq,  u2] 
[]  I  H  ::  (h  o  [ui,u2]) 


Our  objective  now  is  to  define  a  calculus  that  formalizes  goal-directed  search  for  finding 
proofs  of  sequents  of  the  form  E;\H;.E;A  A  g  o  [tq,  u2\.  We  describe  this  calculus  using 
five  kinds  of  hypothetical  judgments  -  labeled  R,  Q,  L,  N,  F  -  whose  forms  are  listed  below. 
At  the  expense  of  overloading  terminology,  we  use  the  term  “sequent”  to  refer  to  these 
hypothetical  judgments  as  well.  Whether  the  term  sequent  refers  to  sequents  of  the  sequent 
calculus,  or  hypothetical  judgments  of  goal-directed  search  should  always  be  clear  from  the 
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context. 


Query  lists 

Q 

::=  []  |  (ui  <u2)  ::Q\  (go  [ui,u2\)  ::  Q 

Boolean  flags 

b 

::=  tt  |  ff 

Sequents 

R 

::=  E;f;F;A^3o[Ul,w2] 

Q 

::=  E;  \L;  A1;  A  Q 

L 

::=  E;  ty^E]  A;  E  <=  g  0  [ui,u2\ 

N 

::=  E-'S)-E-A&po[ui,u2\ 

F 

::=  E;do  «po  [u^u^}  \  Q',b 

Although  the  exact  rules  of  goal-directed  search  that  may  be  used  to  establish  these  five 
forms  of  sequents  are  described  in  §6.2.1,  we  briefly  explain  the  purpose  and  meaning  of 
each  form  of  sequent  here.  In  R-sequents  E;  \L;  E\  A  g  o  [ui,u2\,  the  goal  g  o  [zq,ti2] 
is  decomposed  by  rules  similar  to  the  right  rules  of  the  sequent  calculus.  These  are  the 
primary  form  of  sequents  in  which  proof  search  starts  and  they  also  justify  the  adjective 
“goal-directed”.  Q-sequents  E;  'h;  E;  A  Q  are  a  generalization  of  R-sequents  in  which  the 
goal  is  replaced  by  a  query  list  Q,  which  may  contain  conclusions  of  the  forms  u\  <  w2  and 
g  o  [m,  u2]-  A  query  list  is  the  BL  analogue  of  subgoals  mentioned  in  §6.1  in  the  context  of 
backchaining.  The  meaning  of  E;  'L;  E\  A  =>■  Q  is  that  a  proof  of  every  conclusion  in  Q  can 
be  found  from  the  hypotheses  E;  \L;  E\  A. 

In  L-sequents  E;  \L;  E;  A;  S  •¥=  g  o  [ui,  u2],  the  chunks  in  E  are  decomposed  using  rules 
similar  to  the  left  rules  of  the  sequent  calculus.  These  sequents  arise  from  R-sequents 
when  a  hypothesis  is  introduced  by  decomposition  of  an  implication  in  a  goal.  N-sequents 
E;  'F;£A  ^po  [ui,m2]  are  the  site  of  backchaining.  To  prove  an  N-sequent,  we  choose  a 
clause  from  the  hypotheses  that  can  be  used  to  prove  the  atomic  goal  p  o  [m,  u2\ ,  decompose 
the  clause  in  an  F-sequent,  and  prove  the  resulting  query  list  (subgoals).  An  F-sequent 
E;  d  o  [m,rt2]  «po  \u\ ,  v/2]  \  Q;b  is  used  to  decompose  the  clause  d  o  [ui,u2\  with  the 
aim  of  proving  p  o  \a\ ,  -u2] ;  it  means  that  the  latter  is  entailed  by  the  former  if  in  addition 
every  conclusion  in  the  query  list  Q  holds.  The  boolean  b  in  an  F-sequent  is  a  flag  that  is 
needed  to  correctly  account  for  time  intervals,  as  explained  in  §6.2.1. 


Query  lists  in  the  sequent  calculus.  In  order  to  prove  soundness  and  completeness 
of  goal-directed  search  (§6.3),  it  is  helpful  to  define  an  auxiliary  judgment  E;  \L;  E;  T  Q 
based  on  the  rules  of  the  sequent  calculus  (not  goal-directed  search)  as  shown  below.  This 
judgment  is  analogous  to  the  judgment  E;  \L;  E;  T  Q  for  goal-directed  search. 


S;*;£;r 


OQ 


S;^|=ui  <u2  E;  \L;  FI;  T  A  Q 

- Tj - leqQ 

E;^;E;r  (m  <  u2)  ::  Q 


^■E-T^go[Ul,U2}  E;$;£;rAQ 

- - - goaiQ 

E-^-E-T  ^(go[Ul,u2\)::Q 
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Sequent  of  goal-directed  search 

Sequent  calculus  analogue 

R  E;$;B;A4>3o  [tti,it2] 

X;  \k;  U;  A  #  o  [ui,u2] 

Q  E;f;£;A^Q 

X;^;U;A^  Q 

L  X; A;  S  <=  g  o  [ui,u2] 

X;  E\  A,  |H|  A  g  o  [ui,u2\ 

N  X;  \k;  E;  A  ■¥>  p  o  [iq,  u2\ 

X;$;F;A^po  [ui,u2\ 

F  X;  d  o  [iq,  u2]  <  p  o  \  Q\b 

No  direct  analogue.  Means  that  X;  \k;  E\  T  ^ 

Q  implies  X;  E;  T,  d  o  [u\,  u2 ]  [a'x ,  u^] 

Figure  6.1:  Correspondence  between  sequents  of  goal-directed  search  and  the  sequent  calculus 


The  above  rules  induct  over  the  query  list  Q  in  X;  \k;  E\  T  A  Q  and  check  that  each 
conclusion  in  Q  is  provable  from  the  hypotheses  X;  \k;  E;  T. 

To  help  the  reader  get  a  better  idea  of  the  meanings  of  the  sequents  used  in  goal-directed 
search,  we  list  in  Figure  6.1  the  form  of  sequents  from  BL’s  sequent  calculus  that  correspond 
to  the  sequent  classes  R,  Q,  L,  and  N.  F-sequents  have  no  direct  analogues  in  the  sequent 
calculus,  but  their  meaning  can  be  explained  in  terms  of  entailments  between  sequents  of 
the  latter.  The  notation  |H|  denotes  the  multiset  obtained  by  ignoring  the  order  of  elements 
in  H. 

6.2.1  Rules  of  Goal-directed  Proof  Search 

The  rules  for  goal-directed  search  are  shown  in  Figures  6.2,  6.3,  and  6.4.  All  rules  are  used 
backwards  during  proof  search. 


R-sequents.  Search  starts  in  an  R-sequent  [u\,u2].  The  rules  applying 

to  an  R-sequent  (Figure  6.2)  are  similar  to  the  right  rules  of  the  sequent  calculus,  and 
always  decompose  the  goal.  Unlike  the  sequent  calculus,  where  left  and  right  rules  may 
be  arbitrarily  interleaved,  R-sequents  force  that  the  goal  be  continuously  decomposed  till  a 
leaf  -  uninterpreted  atom,  interpreted  atom,  or  constraint  -  is  reached.  The  only  exception 
to  this  forced  decomposition  of  the  goal  is  the  rule  (Ro),  which  introduces  a  chunk  in  the 
hypothesis  in  the  premise,  and  therefore  transitions  temporarily  to  an  L-sequent  where  the 
chunk  is  decomposed  by  left  rules  (described  later).  After  the  chunk  is  decomposed  com¬ 
pletely,  the  procedure  returns  to  an  R-sequent,  and  decomposition  of  the  goal  continues.  If  a 
constraint  is  reached,  the  constraint  solver  is  invoked  to  attempt  to  solve  it  (rule  (R-cons)). 
Interpreted  predicates  are  similarly  treated  by  the  rule  (R-inter).  If  an  uninterpreted  atom 
is  reached,  the  proof  search  transitions  to  an  N-sequent  (rule  (R-N)),  where  backchaining 
is  used  to  try  to  prove  the  atomic  goal  (described  later). 

The  reason  why  such  forced  decomposition  of  goals  is  complete  with  respect  to  the 
sequent  calculus  is  that  once  hypotheses  are  restricted  to  the  form  A,  the  right  rules  of 
all  connectives  in  the  sequent  calculus  become  invertible  in  the  following  sense:  whenever 
X;\H;.E;A  A  g  o  [u\,u2]  is  provable  in  the  sequent  calculus,  then  the  premises  of  at 
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R-sequents 


E;  T;  E;  A  <S>  p  o  [ui,  u2] 


R-N 


-R-cons 


E;  R/ ;  E;  A  =>  p  o  [iq,  u2\  E;  'l';  E;  A  =>  c  o  [u1;  u2] 

E;  -E1  (=  i  E;T;E;  A  51  o  [w1,zt2]  E;  T;  E;  A  g2  °  [u1;  u2] 


-R-inter 


E;f;£;A=>  jo  [ui,u2] 

E;  W;  E;  A  5l  o  [ui,u2] 


-R-Vi 


E;  Ag2o  [«i,  u2\ 

E;  f;£;A4j2o  [«i,u2] 


R-A 


E;$;£;A^3iVg2o[«1,«2]  "  E;  it;  E;  A  gi  V  52  °  [«i,  u2\ 

E,  aqitime,  x2:time;  T,  u\  <  aq,  x2  <  rt2;  E;  A;  h  o  [x±,  a:2]  l=jo  faq,  a:2] 
E;$;£;A^/iD  30  [ui,  w2] 

E,  cc:er;  $;£;A4>50  [ui,  it2] 

E;  'l';  E;  A  Wx:a.g  o  [it1;  u2] 

E;T;E;A|  fc,i^“2 


-R-V2 


-R-T 


E;  T;  E;  A  =>  T  o  [mi,  m2] 

E  b  t  :  a  S;  'L;  E;  A  g[t/x\  o  [tq,  u2] 


Ro 


R-V 


R-3 


g  o  [ui,u2\ 


E;  T;  E;  A  =>■  3x:cr.g  o  [m,  it2]  E;  'l';  E;  A  =>■  k  says  <7  o  [iq,  u2] 

E;$;E;A4>jo  [ui,u2] 


R-says 


E;^;E;  A  g  @  [ui,u'2]  o  [tq,u2] 


-R-« 


Q-sequents 


rQ-[ 


E;  1=  tq  <  u2  E;  \R ;  E;  A  =4>  Q 


E;  $;E;A4D  '  “  E;  fjEjA^  (iq  <  «2)  ::  Q 

E;f;E;A^so[UllM2]  E;T;E;A^g 


Q-leq 


E;  T;  E;  A  4-  (g  o  [iq,  u2])  ::  Q 


-Q-goal 


Figure  6.2:  Goal-directed  search,  part  1 


least  one  of  the  right  rules  that  could  be  used  directly  to  prove  this  sequent  can  also  be 
established.  Even  though  we  do  not  use  this  fact  in  the  proof  of  completeness  of  proof  search 
directly  (Theorem  6.5),  we  have  included  a  formal  statement  of  the  fact  in  Appendix  D, 
Lemmas  D.16  and  D.17  for  the  curious  readers. 

Note  that  proof  search  may  have  to  explore  multiple  branches,  as  would  happen  after 
application  of  the  rule  (R-A)  which  has  two  premises.  Proof  search  may  have  to  make 
choices,  and  backtrack  over  them  if  needed,  as  would  happen,  for  instance,  if  a  conclusion 
of  the  form  g\  V  g2  °  [111,112]  is  encountered,  since  any  of  the  two  rules  (R-Vi)  and  (R-V2) 
may  potentially  prove  such  a  conclusion.  The  reader  may  observe  that  despite  the  need 
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L-sequents 


E;$;£;A4go  [ui,u2] 


L-R 


A,  do  [ui,u2];H  g  o  [ui,u2] 


S;  E\  A;  []  <=  g  o  [ui,u2]  S;  E-,  A;  3  ::  (d  o  [ui,u2])  <£=  g  o  [ui,u2] 

S;  f,c;£;A;5<^5o  K,  u2] 


L-clause 


L-cons 


A;S  ::  (c  o  [?q,u2])  l=jo  K,u2] 

- - - L-mter 

S;  E\  A;  3  ::  (i  o  [ui,u2])  <^30  [ui,^] 

E;  T;  E;  A;  S  ::  (/q  o  [ui,u2])  ::  (h2  o  [ui,u2])  -tgo 


L-A 


E;  '5;  -E;  A;  H  ::  (hi  A  h2  o  [iti,u2])  ^  g  o  [u'^u'2) 

E;T;.E;A;5  ::  (hi  o  [m,u2])  <£=  g  o  K,m2]  S;^;.E;A;E:  ::  (h2  o  [m,u2])  [ui,u2] 

E;^;£;  A;  S  ::  (hi  V  h2  o  [iq,u2])  <£=  g  o  [14,1/2] 

E;  If;  -B;  A;  S  5  o 


L-V 


-L-T 


E;^;B;  A;H  ::  (T  o  \u1,u2\)  <=  g  o  [ui,u2]  E;  .E;  A;  S  ::  (_L  o  [ui,u2])  <^50  [ui,u2] 

E,  x\cr,  If;  E;  A;  3  ::  (/10  [ui,u2])  l=jo  [ui,^] 

- ^ - ij-d 

E;  \R;  _E7;  A;  S  ::  (3x:a.h  o  [iq,  w2])  <=  g  o  [tq,  m2] 

E;  T;  E-  A,  k  claims  d  o  [iq,  u2];  S  l=jo  [u^,  u2] 

- — - - - - - L-says 

E;  Hi;  E\  A;  3  ::  (fe  says  d  o  [iq,  u2})  ^50  [tq,  u2] 

E;  T;  E;  A;  S  ::  (h  o  [u[,  u'2\)  <=  g  o  [u",  u2] 


L-A 


E;^;B;A;H  ::  (h  @  [ui,u2]  o  [tq,u2])  ^  go  [u",u2] 


-L-d 


Figure  6.3:  Goal-directed  search,  part  2 


for  making  such  choices,  by  eliminating  the  possibility  of  applying  left  rules  except  after 
the  decomposition  of  an  implication,  or  after  an  uninterpreted  atom  is  reached,  R-sequents 
curtail  significantly  the  non-determinism  that  would  be  inherent  in  any  proof  search  tool 
that  naively  used  the  sequent  calculus  backwards. 

Q-sequents.  The  rules  for  Q-sequents  A  =A  Q  are  fairly  straightforward  (Fig¬ 

ure  6.2).  The  list  Q  is  decomposed  inductively  by  the  rules  (Q-leq)  and  (Q-goal)  depending 
on  the  form  of  query  at  its  head,  and  the  provability  of  the  query  is  checked  either  through 
the  constraint  solver  if  the  query  has  the  form  u\  <  u2  (rule  (Q-leq)),  or  through  an  R- 
sequent  if  the  query  has  the  form  g  o  [14,1(2]  (rule  (Q-goal)).  The  reader  may  observe  that 
the  rules  applying  to  Q-sequents  are  deterministic. 
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F-sequents 


£;po  [ui,u2\  «p  o  K,U']  \  (iq  <  ui)  ::  (u2  <  u2)  "  [];ff 

£; di  o  [ui, u2]  «po  [u',u']  \  Q~b  £;  d2  o  [iq,  u2]  «po  [uj, u2]  \Q',b 

- Jr  —  /\  - 

£; di  A  d2  o  [iq, u2]  <po  [iR, u2]  \Q;b  £; di  A  d2  o  [iq,  u2]  <p°  [iq, tz2]  \Q;b 


£;d2  o  [iq,it2]  o  [u^ua]  \  Q;tt  * 

- -t1  —  Z)  i 

£;gi  D  d2  o  [iq,  ii2]  «po  [14,14]  \  (5i  0  Q;tt 

(*<^>  denotes  the  fixed  interval  [+00, —00],  which  is  contained  in  all  other  intervals) 

£;  d2  o  [iq,  tt2]  «po  K,  u'2]  \  Q-  ff 
- F  -  Z)  2 

£;  Si  3  cf2  o  [iti,  u2]  «po  [iq,  u2]  \  {g  1  o  [tq,  ti2])  c  Q;  ff 

£  1-  t  :  CT  £;  d[f/a;]  o  [tq,  tt2]  <Cpo  [t4,i4]  \Q',b 
- F-V 

T,-Wx:a.d  o  [tq,tt2]  «po  [■ tq,t/2]  \  Q;  b 

£; d  o  [tq ,  112]  «po  [tq , tq]  \  Q; b  f  @ 

£;  d  @  [it",  ii2]  o  [iti,  it2]  <po  [it'i,  it2]  \  Q;  tt 


N-sequents 


d  o  [tq,  it2]  €  A  £;  d  o  [tq,ti2]  <  p  o  [u[,u'2]  \  Q;  b  £;  T;  E;  A  A  Q 

- - - N-ciause 

£;f;£;A«po  K,u2] 

k  claims  d  o  [tq,  it2]  g  A  t/  =  A:o,  iq,  ue 
£;  'll  |=  fc  y  ko  £;  [=  iti  <  tq  £;  'll  |=  ue  <  u2 

£;do  [tq,tq>]  «po  [uj,t4]  \  Q;  6  £; 'F;  A  Q 

- - - JN -claims 

£;$;£;A»po  [tij,t4] 

Figure  6.4:  Goal-directed  search,  part  3 


L-sequents.  An  L-sequent  E;  \k;  E\  A;  H  <g=  g  o  [iti,  u2]  arises  during  proof  search  only  in 
the  premise  of  the  rule  (Ro).  It  decomposes  the  connectives  in  chunks  in  H  from  right 
to  left  using  the  rules  of  Figure  6.3,  which  are  similar  to  the  corresponding  left  rules  of 
the  sequent  calculus.  The  intuitive  justification  for  completeness  of  such  decomposition 
with  respect  to  the  sequent  calculus  is  that  the  left  rules  of  the  connectives  decomposed  in 
L-sequents  -  A,  V,  3,  says,  and  @  -  are  invertible  in  the  sequent  calculus,  i.e.  their  premises 
hold  without  principal  formulas,  whenever  their  conclusion  does  (Lemma  6.4). 

Due  to  syntactic  restrictions,  every  chunk  eventually  decomposes  to  the  forms  c,  i,  d, 
and  k  says  d.  These  are  pushed  into  'L,  E,  A,  and  A  respectively  using  the  rules  (L- 
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cons),  (L-inter),  (L-clause),  and  (L-says).  Once  decomposition  of  chunks  S  is  complete, 
which  must  happen  eventually  because  each  backwards  application  of  a  rule  in  Figure  6.3 
removes  at  least  one  connective  from  E,  the  proof  search  transitions  back  to  an  R-sequent 
and  decomposition  of  the  goal  is  resumed  (rule  (L-R)).  The  rules  applying  to  L-sequents 
are  deterministic. 

F-sequents.  An  F-sequent  E;d  o  [rq,ii2]  «  p  o  [u\ .  u2\  \  Q;  b  is  used  to  determine 
whether  do  [ru\ ,  u2]  can  be  helpful  in  proving  p  o  [a\ .  u2]  or  not.  During  proof  search,  both  Q 
and  b  are  outputs.  If  the  sequent  has  a  derivation,  then  E;  'k;  E\ T,  d  o  [tq,  u2\  [u\ ,  u2] 

whenever  S;\k;F;r  — >  Q  (Lemma  6.1).  In  the  following  we  describe  the  rules  that  apply 
to  F-sequents  (Figure  6.4),  and  also  explain  the  role  of  the  boolean  b,  starting  with  the  latter. 

Informal  explanation  for  using  the  boolean  b.  An  F-sequent  S;do  [ui,u2]  <Cp  o  \u\ .  u2\  \ 
Q;  b  is  derived  by  decomposing  the  connectives  in  d,  and  the  boolean  b  is  tt  if  and  only  if 
an  @  connective  is  encountered  during  this  decomposition.  Keeping  track  of  whether  or  not 
an  @  connective  is  encountered  in  the  decomposition  of  a  clause  is  important  in  order  to 
maintain  completeness  with  respect  to  the  sequent  calculus.  We  explain  this  with  a  simple 
example  where  we  try  to  prove  S;  \k;  E;  T.  31  D  ((g2  D  p)  @  [iq,  it2])  o  [u\ .  u2\  ^po  [«",  u2\ 
in  the  sequent  calculus  by  decomposing  the  hypothesis  31  D  ((g2  Dp)  @  [ui,u2])  0  \u\  ,  m2] 
with  left  rules.  For  simplicity,  we  will  assume  that  E;  4t  |=  u\  <  u'{  and  E;  4/  j=  u2  <  rt2. 
The  reader  should  note  that  the  scope  of  the  @  connective  includes  p2  but  not  g Using 
the  rule  (dL)  once,  it  suffices  to  prove  the  following  two  sequents  for  any  interval  \ub,ue] 
that  satisfies  E;  'P  |=  u\  <  uj,  and  E;  \P  | =  ue  <  u2. 

^;^',E;T,gi  D  (( g2  D  p)  @  [ui,u2]))  o  [u^u^]  ^  gi  o  [ub,ue] 

E ;  40  F;  T,  gi  D  ((32  D  p)  @  [mi,  M2])  o  [u[,  u2\,  (g2  Dp)  @  [mi,  m2]  o  [ub,  ue]  ^  p  o  [u",  u2\ 

Next,  using  the  rule  (@L)  it  suffices  to  show  the  following  sequent  in  place  of  the  second 
sequent  above. 

£;^;-E;T,3i  D  ((32  Dp)  @  [iti,M2])  O  [u'1,u2\,g2  Dpo  [mi,m2]  ^po  [u'{,u2\ 

Observe  that  due  to  the  connective  @,  the  interval  [ub,  ue\  has  disappeared  from  the  sequent! 
Proceeding  further,  it  is  easy  to  show  using  rules  (dL)  and  (init)  that  to  establish  the  third 
sequent  above,  it  suffices  to  prove  the  following  sequent. 

E;  4q  E;  T,  31  D  ((g2  D  p)  @  [mi,  m2])  o  [u[,  u2],  g2  Dpo  [ui,u2\  ^  g2  o  [tt",  u2\ 

Thus  in  order  to  prove  p  o  \u”,u2]  from  the  hypothesis  31  D  ((g2  D  p)  @  [tti,tt2])  o  [u\ ,  tt2] 
assuming  that  E;  4^  |=  mi  <  m"  and  S;  ’P  |=  u2  <  u2,  it  is  enough  to  prove  31  o  [ub,ue]  for 
any  [ub,ue\  that  is  contained  in  [m(  ,  u2]  (first  sequent  above)  and  also  g2  o  \u”,u2]  (fourth 
sequent  above).  The  relevant  observation  here  is  that  due  to  the  @  connective  inside  the 
head  of  the  implication  31  D  ((32  D  p)  @  [tq,ti2]),  the  interval  [ub,ue]  over  which  3 1  needs 
to  be  established  has  no  relation  to  the  interval  in  the  conclusion,  [u",  u2].  This  observation 
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generalizes  easily  -  given  a  hypothesis  g  D  d  o  [4x1,142],  if  during  the  decomposition  of  d  by 
left  rules,  an  @  connective  is  encountered,  then  the  interval  over  which  g  is  proved  has  no 
relation  to  the  interval  over  which  the  concluding  atom  produced  by  d  holds.  As  a  result,  in 
this  case  it  is  okay  in  the  sequent  calculus  to  prove  g  over  any  interval  contained  in  [u\ ,  U2]  ■ 
To  maintain  completeness,  when  such  cases  arise  in  goal-directed  search  we  try  to  prove  g 
over  a  fixed  interval  (j>  that  is  contained  in  all  other  intervals  (this  interval  is  defined  below) . 

It  should  also  be  noted  that  if  during  the  decomposition  of  d  by  left  rules  an  @  con¬ 
nective  is  not  encountered,  then  g  must  be  proved  over  the  same  interval  that  is  needed 
in  the  conclusion  derived  from  g  D  d.  This  happens,  for  instance,  for  the  clause  52  D  p  in 
the  third  sequent  above.  The  boolean  b  in  the  output  of  F-sequents  keeps  track  of  whether 
an  @  connective  has  been  encountered  in  the  decomposition  of  the  clause  or  not  -  b  is  tt 
in  the  sequent  X;  d  o  <C  p  o  [u) ,  u2]  \  Q;  b  if  and  only  if  the  decomposition  of  d 

passes  through  an  @  connective.  Accordingly,  only  the  rule  (F-@)  in  Figure  6.4  introduces 
tt  in  its  conclusion;  all  other  rules  with  premises  simply  propagate  the  boolean  from  the 
premise  to  the  conclusion.  Although  possibly  non-intuitive,  this  strategy  of  keeping  track 
of  @  connectives  encountered  during  decomposition  of  clauses  is  both  sound  and  complete, 
as  the  results  in  §6.3  show.  The  explanation  of  the  rules  for  F-sequents  below  should  be 
easy  to  follow,  given  this  intuitive  understanding  of  the  importance  of  b. 

Explanation  of  the  rules  for  F-sequents  in  Figure  6.4.  Rule  (F-init)  means  that  p  o  [141,1x2] 
can  be  used  to  derive  p  o  \u\ ,  u2]  if  u\  <  u\  and  u2  <  U2  ■  This  is  analogous  to  the 
(init)  rule  in  the  sequent  calculus.  Note  that  the  boolean  in  the  output  is  ff  here.  The 
most  interesting  rules  for  deriving  F-sequents  are  (F-Di)  and  (F-D2),  which  are  applicable 
when  the  booleans  in  the  premise  are  tt  and  ff  respectively.  We  explain  rule  (F-Di) 
first.  Suppose  X;c?2  0  [^1,^2]  p  o  [u\ ,  u2\  \  Q;  tt,  as  in  premise  of  the  rule.  So 
X;  \F;  E;  T,  ofo  0  [txi ,  1x2]  — >  p  °  [u\ ,  u2]  whenever  X;\F;E;r  Q,  and  further  during  the 
decomposition  of  d2,  an  @  connective  is  encountered.  Due  to  the  explanation  above,  if 
X;  \F;  E;  T  Q  and  X;  \F;  E;  T  A  g\  o  [xxb,  ue\  for  any  interval  [ub,  ue\,  then  X;  \k;  E;  T,  g\  D 
c?2  0  [ui,U2\  — >  p  o  \u[ ,u'2\.  Since  we  cannot  represent  “any  interval”  in  the  logic,  we 
instead  choose  an  interval  <f>  =  [+00,  —00]  that  is  contained  in  all  other  intervals.  Then  the 
conclusion  of  the  rule  X;  g\  D  d2  o  [m,U2]  «  p  o  [u\ ,  u2]  \  (g  1  o  cf)  ::  Q;tt  is  immediately 
justified. 

The  rule  (F-D2)  is  similar,  but  it  applies  when  the  boolean  in  the  premise  is  ff,  i.e. 
when  an  @  connective  is  not  encountered  during  the  decomposition  of  ^2 .  In  that  case,  the 
goal  gi  must  be  established  on  the  interval  \u\ .  u2] ,  not  an  arbitrary  interval  \ub,  ue]  in  order 
for  p  o  [a\ ,  u2\  to  be  provable.  Either  of  the  rules  (F-Ai)  and  (F-A2)  may  apply  when  the 
clause  to  be  decomposed  has  a  top  level  conjunction,  so  F-sequents  may  cause  backtracking 
during  proof  search.  At  a  more  fundamental  level  that  we  don’t  explicitly  explore  here,  a 
derivation  of  an  F-sequent  corresponds  to  a  single  step  of  left  focusing  [12]. 


N-sequents.  N-sequents  are  the  site  of  backchaining  for  proving  atomic  goals  of  the  form 
p  o  [u\ ,  u2]  ■  There  are  only  two  rules  to  establish  an  N-sequent:  (N-clause)  and  (N-claims), 
both  of  which  are  shown  in  Figure  6.4.  For  both  rules,  the  objective  is  to  prove  p  o  \u\ ,  u2] 
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from  the  assumptions  E;\F;.E;A.  In  (N-clause)  this  proof  is  attempted  by  choosing  a 
hypothesis  of  the  form  d  o  [111,112]  in  A,  finding  a  Q  such  that  E;d  o  [ui,U2]  <C  p  o 
[u\ ,  w. 2]  \  Q;  b,  and  checking  that  E;\F;U;A  Q.  The  rule  (N-claims)  is  similar,  except 
that  a  hypothesis  of  the  form  k  claims  d  o  [111,112]  is  used.  In  that  case,  it  must  also  be 
checked  that  k  >z  ko,  ui  <  it&,  and  ue  <  112 ,  where  v  =  ko,Ub,ue.  These  checks  are  based 
on  the  view  principle  from  §4.2.2.  Again,  due  to  the  possible  choice  in  picking  a  suitable 
hypothesis  in  A,  N-sequents  may  be  the  site  of  a  significant  amount  of  backtracking  during 
proof  search. 


6.3  Soundness  and  Completeness  of  Proof  Search 

We  now  show  that  goal-directed  proof  search  on  the  fragment  BLc,  as  formalized  by  the 
rules  of  §6.2.1,  is  sound  and  complete  with  respect  to  the  sequent  calculus.  Owing  to 
the  presence  of  explicit  time,  and  particularly  because  of  the  need  to  keep  track  of  @ 
connectives  in  clauses  during  decomposition  in  F-sequents,  proofs  of  both  soundness  and 
completeness  are  somewhat  more  difficult  than  they  are  for  other  logics.  Details  of  these 
proofs  are  provided  in  Appendix  D,  and  we  encourage  the  interested  reader  to  go  through 
the  appendix  to  gain  an  insight  into  the  technical  details  of  the  proofs.  Here  we  only  skim 
through  the  main  lemmas. 

Soundness.  For  soundness,  we  seek  to  establish  that  if  X;  \F;  E;  A  =4>  g  o  [m ,^2],  then 
A  —>  g  o  [ui,U2\.  The  proof  of  this  fact  critically  relies  on  the  following  lemma 
about  soundness  of  F-sequents. 

Lemma  6.1  (Soundness  of  F-sequents).  Suppose  the  following  hold. 

1.  E;  d  o  [ui,U2\  «  p  o  [u\ ,  u'2]  \  Q;  b 

2.  ^  Q 

Then,  S;  \&;  E;T,d  o  [m,  U2]  [u^,  u'2]  ■ 

Proof.  We  generalize  the  statement  of  the  lemma,  one  for  each  of  the  two  cases  b  =  tt  and 
b  =  ff,  which  can  then  be  proved  using  simultaneous  induction  on  the  derivation  assumed 
in  (1).  See  Appendix  D,  Lemmas  D.2  and  D.3  for  details.  □ 

Using  this  lemma,  soundness  follows  by  an  easy  induction  on  derivations  of  goal-directed 
search. 

Theorem  6.2  (Soundness).  The  following  hold. 

A.  E;$;E;A=^  jo  [m,  U2]  implies  E;$;F;A  ^  jo  [ui,  U2] 

B.  E;  'k;  E;  A;  S  <^=  g  o  [t(i,  U2]  implies  S;  ’F;  E\  A,  |H|  A  g  o  [rti,  112] 

C.  E;  \F;  E\  A  if?  p  o  [m,  112]  implies  E;  'F;  E;  A  p  o  [ui,  U2] 
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D.  S;  'h;  E\  A  Q  implies  X;  \k;  E;  A  A  Q 

Proof.  By  simultaneous  induction  on  given  derivations  and  case  analysis  of  the  last  rules 
in  them.  For  proving  (C),  Lemma  6.1  is  needed.  Representative  cases  may  be  found  in 
Appendix  D,  Theorem  D.4.  □ 

Completeness.  For  completeness,  we  seek  to  establish  that  if  S;  ;  AF;  A  4  jo  [u\,U2\, 
then  X;\k;Fl;  A  =4-  g  o  [u\,u2].  To  prove  this  fact,  we  show  first  that  the  left  rules  for 
connectives  that  appear  in  clauses  d  are  admissible  in  goal-directed  search.  This  requires 
a  systematic  development  of  the  metatheory  of  goal-directed  search  which  we  defer  to  Ap¬ 
pendix  D,  as  well  as  several  tedious  but  straightforward  inductions  over  derivations  of 
goal-directed  search.  Second,  we  prove  that  the  left  rules  for  top  level  connectives  in  chunks 
are  all  invertible  in  the  sequent  calculus.  This  is  straightforward.  Given  these  two  lemmas, 
completeness  follows  by  a  lexicographic  induction  on  sequent  calculus  derivations. 

Lemma  6.3  (Admissibility  of  left  rules  in  proof  search).  The  following  hold. 

1.  Admissibility  of  (T>L).  Suppose  the  following  hold: 

(a)  Tl-^-E;A,g^do[ui,u2]^go  [u[,u2\ 

(b)  E-^;E-,A,g  A  do  (ui,u2],do  [u^ ,  u2]  g"  o  [u",  u2\ 

(c)  E;  'L  |=  u\  <  u\  and  X;  \k  |=  u2  <  u2 

Then  X;  \k;  E\  A,  g  A  d  o  [u\,  u2]  g"  o  [u'{,  u2] 

2.  Admissibility  of  (claims).  Suppose  the  following  hold: 

(a)  v  =  k0,ub,ue 

(b)  E^\=k'0hk0 

(c)  X;  ^  |=  u'b  <  ub 

(d)  X;  |=  ue  <  u'e 

(e)  T,;A>;E;  A,  k'0  claims  d'0  o  [u'b,  u'e],d'0  o  [u'b,  u'e]  ^  go  [Ul  ,u2] 

Then,  X;  \k;  E;  A,  k'0  claims  d'0  o  [ub,  u'e\  =A  g  o  [u\,u2] 

3.  Admissibility  of  (A L).  Suppose  the  following  holds: 

(a)  X;  E;  A,  d0  A  d'0  o  [u'b,  u'e],d0  o  [u'b,  u'e\,d'0  o  [u'b,  u'e }  ^  g  o  [ui,u2\ 

Then,  X;  \k;  E;  A,  do  A  d'0  o  (ub,  u!e ]  Ago  [u\,  u2] 

4 ■  Admissibility  of  (VL).  Suppose  the  following  hold: 

(a)  ShLd 

(b)  X;  \k;  FI;  A,  Vx:<T.d0  °  [ub,  ue\,  d0[t/x\  o  [ub,ue\  =>  g  o  [ui,u2] 


147 


Chapter  6.  BL:  Goal-directed  Proof  Search 


Then,  E;  E\  A,  \/x:a.do  o  [u6,  ue\  =4-  g  o  [iq,  u2] 

5.  Admissibility  of  (@L ).  Suppose  the  following  holds: 

(a)  E;4/;i£;  A,d0  @  [u'b,u'e\  o  [ub,ue],do  o  [u'b,u'e]  g  o  [iq,it2] 

Then,  E;  4*;  E;  A,  d0  @  K,  it'd  °  [ub,  ue]  g  o  [iq,  u2] 

Proof.  Each  of  the  statements  (l)-(5)  is  proved  separately  by  induction  on  the  last  given 
R-sequent  derivation.  In  each  case,  the  induction  hypothesis  must  be  generalized  to  in¬ 
clude  L-sequents,  Q-sequents,  and  N-sequents.  Details  are  presented  in  Appendix  D,  Lem¬ 
mas  D.11-D.15.  The  proof  of  statement  (1)  is  particularly  involved  and  requires  a  systematic 
development  of  metatheory  of  goal-directed  search,  including  an  analogue  of  time  subsump¬ 
tion  (Theorem  4.11).  We  strongly  encourage  the  interested  reader  to  look  at  Appendix  D 
for  all  the  details.  □ 

Lemma  6.4  (Strong  left  inversion  for  c,  i,  A,  V,  T,  3,  says,  @).  The  following  hold  for  the 
sequent  calculus  of  BL. 

1.  E;  \k;  E\  T,  c  o  [iq,  u2]  —>  r  o  [u\ ,  ul2]  implies  E;  \k,  c;  E;  T  —>  r  o  [u] ,  u’.f\  by  a  derivation 
of  smaller  or  equal  depth. 

2.  E;  \k;  E;  T,  i  o  [111,112]  —>  r  o  [u\ ,  u'2]  implies  E;  \k;  E,  i\ T  \u\ ,  u'2\  by  a  derivation 

of  smaller  or  equal  depth. 

3.  E;  tH;  E;  T,  si  AS2  o  [1*1,112]  — >  r  o  [ti^ii^]  implies  E;  'R;  £1;  T,  si  o  [u\,u2],s2  o 
[111,112]  —>  r  o  [14,1*2]  by  a  derivation  of  smaller  or  equal  depth. 

4-  E;  \k;  E\  T,  s\\J  s2  o  [iq,  1*2]  —>  r  o  [*4,  it  '2]  implies  both  E;  4*;  E\  T,  si  o  [iq,  u2]  ^ro 
[u'i,u 2]  and  E;  4*;  E;  T,  S2  0  [it  1,1*2]  — >  r  o  [v.\ ,  u2]  by  derivations  of  smaller  or  equal 
depth. 

5.  E;\k;E;T,T  o  [111,1*2]  —>  r  o  [1*1, 1*2]  implies  E;4*;E;r  —>  r  o  [14,1*2]  by  a  derivation 
of  smaller  or  equal  depth. 

6.  E;  41;  E;  T,  3x:a.s  o  [1*1,112]  —>  r  o  [a\ ,  u'2]  implies  E,  x:cr,  4*;  E;  T,  s  o  [111,1*2]  —*  r  o 
[111,1*2]  by  a  derivation  of  smaller  or  equal  depth. 

7.  E;\k;E;T,fc  says  s  o  [iq,i*2]  r  o  [a\ ,  u'2]  implies  E;4t;  E;T,/c  claims  s  o  [i*i,i*2]  — > 
r  o  [u\ ,  u2]  by  a  derivation  of  smaller  or  equal  depth. 

8.  E;4*;E;T,s  @  o  [111,1*2]  —*  r  o  [1*1,112]  implies  E;4*;E;T,s  o  [u'{,u'f\  —>  r  o 

[111,1*2]  by  a  derivation  of  smaller  or  equal  depth. 

Proof.  Each  statement  follows  by  a  separate  induction  on  the  depth  of  the  given  derivation 
and  a  case  analysis  of  the  last  rule  in  the  derivation.  See  Appendix  D,  Lemma  D.18  for 
some  representative  cases.  □ 

Theorem  6.5  (Completeness).  The  following  hold. 
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A.  E;  \k;  E\  A  A  go  o  [itg,  Ug]  implies  E;  'h;  E]  A  go  o  [itg,  u'0] 

B.  A,  |H|  A  g0  o  [ug,^]  implies  E;  'F;  E\  A;  H  <£=  g0  o  [u0, «(,] 

Proof.  By  simultaneous  lexicographic  induction,  first  on  the  depths  of  the  given  derivations, 
and  then  on  the  order  (B)  >  (A).  For  (B),  we  also  subinduct  on  the  number  of  connectives 
in  H.  Details  are  in  Appendix  D,  Theorem  D.19.  Briefly,  to  prove  (A),  we  case  analyze  the 
last  rule  in  the  derivation  of  E;  \F;  E\  A  go  o  [no,  u'^\.  If  it  is  a  right  rule,  we  apply  the  i.h. 
to  the  premises  and  use  the  corresponding  rule  for  R-sequents  (Figure  6.2).  If  it  is  a  left 
rule,  we  apply  the  i.h.  to  the  premises  and  use  the  corresponding  clause  from  Lemma  6.3. 
To  prove  (B),  we  subinduct  on  the  number  of  connectives  in  S,  and  analyze  the  form  of  the 
last  chunk  in  it.  Then  we  use  an  appropriate  clause  of  Lemma  6.4  to  reduce  the  problem  to 
one  with  a  S  with  fewer  connectives,  apply  the  i.h.,  and  then  apply  the  corresponding  rule 
for  L-sequents  from  Figure  6.3.  □ 

6.4  Implementation  in  PCFS  (and  Otherwise) 

Whereas  it  should  be  clear  that  by  preventing  arbitrary  interleaving  of  left  and  right  rules, 
goal-directed  search  reduces  non-determinism  inherent  in  the  sequent  calculus,  there  are 
two  points  that  probably  need  explanation  before  it  will  be  clear  how  the  rules  of  §6.2.1  can 
be  efficiently  implemented. 

-  How  does  proof  search  resolve  the  choices  in  choosing  between  the  rules  (R-Vi)  and 
(R-V2)  on  one  hand,  and  (F-Ai)  and  (F-A2)  on  the  other,  as  well  as  the  choice  in 
picking  a  hypothesis  in  A  to  apply  one  of  the  rules  (N-clause)  and  (N-claims)? 

-  How  does  proof  search  “guess”  the  terms  t  in  the  premises  of  the  rules  (R-3)  and 
(L-V)? 

The  answer  to  the  first  question  is  that,  in  order  to  remain  complete  with  respect  to  the 
sequent  calculus,  the  proof  search  tool  must  explore  all  these  choices.  This  may  be  done 
breadth-first  to  obtain  a  semi-decision  procedure  for  BLc,  but  in  practice  it  is  much  better 
to  use  depth- first  search  with  backtracking,  which  is  also  what  the  PCFS  proof  search 
tool  pcfs-search  does.  Like  all  logic  programming  languages,  it  is  possible  to  optimize 
choices  in  N-sequents  by  deriving  all  possible  F-sequents  from  given  clauses  A  in  advance 
of  their  actual  use  in  N-sequents.  This  form  of  clause-compilation  is  called  residuation  in 
logic  programming  (see,  e.g.,  [38]).  Its  application  to  goal-directed  search  in  BL^  requires 
a  slight  modification  to  F-sequents  and  their  rules,  since  the  goal  p  o  \u\ ,  ulf\  will  not 
be  available  at  the  time  that  residuation  is  performed.  Although  residuation  is  useful  in 
improving  efficiency  of  goal-directed  search,  the  current  implementation  of  the  PCFS  tool 
pcfs-search  does  not  perform  this  optimization. 

The  second  problem  above,  that  of  picking  the  term  t  in  the  premises  of  the  rules 
(R-3)  and  (L-V),  may  be  resolved  in  an  implementation  using  a  standard  approach  based 
on  unification.  Instead  of  guessing  a  term  t,  proof  search  inserts  a  new  variable,  called  an 
existential  variable  or  evar,  in  its  place.  This  variable  is  then  resolved  (its  substitution  found) 
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during  the  rule  (F-init)  by  a  process  of  unification.  This  is  completely  standard  in  logic 
programming  as  well  as  theorem  proving,  and  requires  little  further  explanation.  The  only 
noteworthy  aspect  in  BL^,  as  also  in  other  logic  programming  languages  or  theorem  provers 
with  constraint  domains,  is  that  there  is  inherently  a  possibility  of  requiring  unification  in 
the  constraint  solver.  More  precisely,  what  happens  if  we  invoke  the  constraint  solver  with 
a  judgment  of  the  form  E;  \k  |=  c  which  contains  evars?  In  general,  for  many  forms  of 
constraints,  it  is  possible  to  unify  evars  (or  find  possible  satisfying  ranges  for  integer  evars) 
within  the  constraint  domain. 

In  the  context  of  authorization  policies,  unification  within  the  constraint  solver  may  be 
unnecessary  in  practice  -  at  least  for  all  authorization  policies  in  this  thesis,  it  is  the  case 
that  most  invocations  of  the  constraint  solver  during  goal-directed  proof  search  are  with 
ground  constraints.  Therefore,  the  PCFS  proof  search  tool  pcfs-search  assumes  in  most 
cases  that  all  terms  during  any  invocation  of  the  constraint  solver  are  ground.  The  only 
exception  to  this  rule  is  the  constraint  is  1 1',  which  checks  equality  of  t  and  i! .  modulo  rules 
of  arithmetic.  In  this  case,  following  usual  logic  programming  conventions,  pcfs-search 
requires  that  t  not  contain  any  arithmetic  operators,  and  that  t!  be  a  ground  arithmetic 
expression  over  time  points.  It  simplifies  t'  using  arithmetic  rules,  and  unifies  the  result 
with  t.  Generally,  the  requirements  that  constraints  be  ground  entails  at  the  least  that  all 
terms  in  the  view  v  of  a  sequent,  as  well  as  annotations  of  the  form  •  o  [u\,  U2]  and  k  claims  • 
remain  ground  during  proof  search.  Whether  this  will  be  the  case  for  a  policy  or  not  may  be 
checked  with  a  simple  mode  analysis  over  the  formalized  policy  rules  (e.g.,  as  implemented 
in  Twelf  [116]). 

A  similar  groundedness  assumption  on  interpreted  predicates  is  unrealistic.  For  example, 
during  proof  search  over  policy  rules  of  §8,  an  interpreted  predicate  of  the  form  owner  /  K 
must  often  be  resolved,  where  I\  is  unknown.  So  the  solver  for  interpreted  predicates 
in  PCFS  does  perform  unification,  but  only  in  certain  arguments.  For  example,  for  the 
predicate  owner  /  I\,  it  requires  that  /  be  ground,  else  it  would  not  know  which  file’s 
meta-data  to  look  at.  Again,  a  static  mode  analysis  on  authorization  policy  rules  may 
be  used  to  check  that  such  requirements  will  be  satisfied  at  all  times  during  proof  search. 
Since  a  proof  may  be  constructed  in  a  system  state  different  from  the  one  in  which  the 
authorization  derived  from  it  will  be  used,  pcfs-search  can  be  run  in  interactive  mode, 
where  it  asks  the  user  about  the  truth  of  every  interpreted  predicate  that  it  deems  useful 
to  the  proof,  instead  of  checking  the  predicate  on  the  system  state. 

The  actual  implementation  of  the  tool  pcfs-search  uses  the  rules  of  §6.2.1  with  changes 
described  above.  The  implementation  is  written  in  Standard  ML,  and  is  based  on  an  earlier 
implementation  of  goal-directed  search  for  intuitionistic  logic  by  Pfenning  and  Elliott  using 
success  continuations,  imperative  unification,  and  implicit  backtracking  through  native  se¬ 
quencing  of  programs  in  the  programming  language  [57].  Even  without  any  optimizations, 
the  implementation  is  reasonably  fast.  Proofs  from  policies  of  §8,  which  often  contain  well 
over  1000  inference  rules  and  refer  to  over  70  policy  rules,  can  be  constructed  in  less  than 
300ms  by  the  tool,  including  the  time  for  reading  and  parsing  certificates  from  disk. 


150 


Chapter  6.  BL:  Goal-directed  Proof  Search 


6.5  Related  Work 

The  formalization  of  goal-directed  search  in  §6.2  is  based  on  a  similar  formalization  for 
inference  in  the  linear  logic  programming  language  Lolli  [78],  and  indirectly  on  Miller  et 
alls  work  on  uniform  proofs  [103].  To  our  best  knowledge,  the  latter  was  the  first  piece 
of  work  to  explicitly  relate  goal-directed  search  via  inference  rules  to  logic  programming 
languages,  an  approach  on  which  the  theory  and  implementation  of  pcfs-search  builds. 
Goal-directed  search  is  an  instance  of  a  more  general  method  of  restricting  the  search  space 
for  proofs  without  losing  completeness,  called  focusing,  that  was  introduced  by  Andreoli 
in  the  context  of  classical  linear  logic  [12].  The  method  has  been  adopted  in  other  logics, 
including  intuitionistic  logic  [80,  101],  and  intuitionistic  linear  logic  [43].  Very  recently, 
Licata  and  Morgenstern  have  built  a  theorem  prover  for  all  of  BL^  using  focusing  (personal 
communication).  The  work  in  this  chapter,  although  influenced  by  a  lot  of  prior  work,  is 
unique  in  the  sense  that  it  considers  the  hybrid  modality  s  @  [111,112],  which  as  explained 
earlier  presents  a  number  of  unique  challenges  both  in  the  design  of  goal-directed  proof 
search  and  in  the  proofs  of  its  soundness  and  completeness. 

Within  the  context  of  authorization,  a  significant  amount  of  work  on  proof  search  has 
focused  on  the  problem  of  storing  and  finding  the  hypotheses  needed  to  construct  a  proof. 
This  problem  is  generically  called  credential  chain  discovery,  and  was  first  studied  by  Clarke 
et  al.  for  SPKI  [46].  Its  scope  was  greatly  expanded  in  the  trust  management  framework 
RT  [97],  and  in  the  work  of  Bauer  et  al.  [21]  whose  experimental  set  up  was  Grey,  a  proof¬ 
carrying  authorization  framework.  The  problem  of  credential  chain  discovery  is  orthogonal 
to  the  concerns  of  this  chapter  since  we  are  interested  in  finding  proofs  assuming  that 
relevant  hypotheses  are  available  (we  allow  proof  search  to  fail  if  they  are  not),  whereas  most 
work  on  credential  chain  discovery  focuses  on  finding  hypotheses,  and  generally  simplifies 
the  problem  of  constructing  a  logical  proof  to  the  use  of  heuristics.  The  difference  in  the  two 
approaches  may  be  explained  partly  by  a  difference  in  setting  -  most  work  on  credential 
chain  discovery  is  based  in  settings  where  certificates  are  distributed  on  a  network,  and 
finding  them  is  the  difficult  part,  but  policies  themselves  are  simple.  On  the  other  hand  we 
are  more  interested  in  the  problem  of  finding  proofs  from  complex  policies,  where  general 
heuristics  may  be  hard  to  describe.  Recently,  Becker  et  al.  [24]  have  studied  the  problem 
of  credential  chain  discovery  using  abduction  in  logic  programming,  which  is  interesting 
because  it  combines  these  two  rather  orthogonal  problems  in  a  single  framework. 

Most  logic-based  languages  for  authorization  policies  include  some  procedure  for  auto¬ 
matic  inference  from  policy  rules.  Many  of  these,  e.g.,  [23,  52],  translate  policies  and  goals  to 
Datalog  and  use  saturating  search  to  perform  inference.  Others  like  Soutei  use  backchaining 
search  [118].  Saturating  search  works  well  when  all  consequences  of  a  policy  are  needed,  for 
instance,  to  compile  the  policy  to  low-level  configurations.  However,  goal-directed  search 
may  be  more  efficient  for  constructing  proofs  of  individual  authorizations,  which  is  the  case 
in  PCFS. 
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Chapter  7 

The  Proof- Carrying  File  System 
(PCFS) 


This  chapter  presents  details  of  the  design  and  implementation  of  PCFS,  as  well  as  experi¬ 
mental  measurements  that  evaluate  its  performance  during  file  access.  A  high-level  picture 
of  the  PCFS  architecture  was  presented  in  §2,  details  of  the  use  of  our  authorization  logic 
BL  in  PCFS  were  the  subject  of  §4.3,  the  PCFS  proof  verification  procedure  was  described 
and  formalized  in  §5.2,  and  a  method  for  automatic  proof  search  for  PCFS  was  presented 
in  §6.  This  chapter  explains  how  all  these  fit  together,  and  more  significantly,  it  explains  the 
layout  of  files  and  configuration  information  within  a  PCFS  file  system,  and  how  PCFS  uses 
procaps  (capabilities)  generated  from  proofs  to  authorize  file  operations  during  file  access. 

As  mentioned  in  §2,  the  PCFS  architecture  is  divided  into  two  parts,  both  conceptually 
and  in  the  implementation:  (a)  The  front  end  that  deals  with  policies,  builds  on  BL’s  proof 
theory  to  authorize  access  based  on  proofs,  and  generates  procaps,  and  (b)  The  back  end 
that  handles  file  system  calls,  and  uses  procaps  to  authorize  file  operations.  This  chapter 
is  organized  around  these  two  parts.  §7.1  describes  the  command  line  tools  for  managing 
policies  and  proofs  that  comprise  the  front  end,  whereas  §7.2  explains  the  layout  of  the  file 
system,  how  system  calls  are  intercepted  and,  the  use  of  procaps  to  authorize  access.  §7.3 
presents  the  results  of  benchmarks  which  establish  that  procap-based  authorization  checks 
are  efficient  in  practice.  §7.4  summarizes  assumptions  made  by  PCFS  about  its  operating 
environment  and  also  describes  the  trusted  code  base  of  its  implementation. 

Since  work  related  to  PCFS  was  already  presented  at  the  end  of  §2,  related  work  is  not 
included  in  this  chapter.  Some  of  the  content  of  this  chapter  first  appeared  in  a  technical 
report  authored  jointly  with  Pfenning  [68] . 


7.1  The  PCFS  Front  End 

The  content  of  this  section  relies  on  that  of  §2.1,  §4-3,  and  §5.2.  Readers  may  wish  to 
revisit  those  sections  before  continuing. 

The  front  end  of  PCFS  consists  of  command  line  tools  that  create  and  manage  digital 
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certificates,  automatically  search  for  proofs,  verify  proofs  to  generate  procaps,  and  put 
procaps  in  the  procap  store.  Since  all  these  tools  are  used  prior  to  file  access,  and  all  of 
them  are  invoked  rarely  in  comparison  to  the  frequency  of  file  access  itself,  efficiency  of 
the  tools  is  not  a  significant  concern  in  PCFS.  In  contrast,  the  back  end  needs  to  be,  and 
is,  very  efficient.  In  the  following  we  describe  each  of  these  tools.  They  are  all  written  in 
Standard  ML,  and  together  comprise  approximately  7,000  lines  of  code.  OpenSSL  is  used 
for  all  cryptographic  operations  [2].  RSA  keys  are  used  for  signing  and  verifying  digital 
certificates,  while  procaps  are  signed  using  HMACs  made  with  a  symmetric  key.  Details  of 
both  RSA  and  HMACs  can  be  found  in  any  text  on  applied  cryptography,  e.g.,  [102]. 

Certificates  and  keys.  PCFS  uses  its  own  XML-based  format  for  digital  certificates, 
which  are  of  two  kinds.  The  first  kind  of  certificates,  called  policy  certificates,  establish 
policy  rules.  Abstractly,  a  policy  certificate  is  a  five-tuple  ( k,ui,U2,  s,  sig },  where  k  is  the 
creator  of  the  certificate,  [ui,U2]  is  the  interval  of  validity  of  the  certificate,  s  is  the  policy 
formula  asserted,  and  sig  is  a  digital  signature  over  the  other  four  elements  generated  using 
k’s  signing  (private)  key.  As  mentioned  in  §4.3.1,  such  a  certificate  is  represented  in  BL  as 
the  judgment  k  claims  s  o  [iti , it2] - 

The  second  kind  of  certificates,  called  key  certificates,  map  principals  to  their  verification 
(public)  keys.  We  assume  that  such  certificates  are  signed  by  a  fixed  principal  called  the 
certifying  authority  (CA).  The  exact  name  or  user  id  of  this  principal  is  irrelevant.  What 
is  important  is  its  public  key  that  can  be  used  to  check  such  certificates.  This  key  is  stored 
in  a  specially  protected  file  called  ca-pubkey  .pem  within  the  PCFS  file  system  (see  §7.2.2). 
Abstractly,  a  key  certificate  is  a  triple  (k,  key,  sig),  where  k  is  the  principal  whose  key 
it  certifies,  key  is  the  public  key  being  certified,  and  sig  is  a  signature  on  the  first  two 
components  generated  with  the  CA’s  signing  key. 

PCFS  provides  a  command  line  tool  called  pcfs-cert  which  can  be  used  to  create 
certificates  of  both  kinds  and  to  verify  sets  of  certificates.  For  creating  a  policy  certificate 
the  tool  expects  a  private  key  that  is  used  to  sign  the  certificate,  whereas  for  creating  a  key 
certificate  it  expects  the  CA’s  private  key.  A  set  of  certificates  is  verified  by  checking  the 
signature  on  each  key  certificate  using  the  CA’s  public  key,  and  checking  the  signature  on 
each  policy  certificate  using  the  public  key  of  the  principal  mentioned  in  the  certificate;  the 
latter  key  is  obtained  from  one  of  the  key  certificates. 

Proof  search.  PCFS  includes  an  automatic  proof  search  tool  called  pcfs-search,  de¬ 
scribed  in  §6,  that  helps  users  find  proof  terms  V  such  that  X;  •;  E\  H\~u  V  4=  s  o  [u\,  112] 
(see  §5.1  for  an  explanation  of  this  judgment).  The  user  is  responsible  for  providing  n  in 
the  form  of  policy  certificates,  s  which  should  usually  have  the  form  admin  says  (may  k  f  77), 
u\,  and  U2-  The  tool  reads  X  from  a  file  declarations  stored  within  the  PCFS  file  system 
(see  §7.2.2),  and  by  default  assumes  that  E  is  the  prevailing  system  state.  The  latter  behav¬ 
ior  may  be  changed  through  a  command  line  option,  which  causes  the  tool  to  prompt  the 
user  about  every  interpreted  atom  that  may  be  useful  in  the  proof.  This  may  be  necessary 
if  the  proof  is  being  generated  in  a  system  state  that  is  different  from  the  one  in  which  the 
procap  obtained  from  it  is  expected  to  be  used. 
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The  proof  construction  tool  is  not  a  trusted  component  of  PCFS,  nor  are  users  obliged 
to  use  it.  Instead,  users  may  construct  proofs  by  any  means  they  like.  However,  given  that 
proofs  of  authorization  can  be  quite  complex,  as  happens  for  instance  with  the  policies  of  §8, 
a  fast,  automatic  tool  to  find  proofs  is  quite  useful  in  practice,  pcfs-search  is  based  on 
a  logic  programming  interpretation  of  a  large,  expressive  fragment  of  BL  and  works  quite 
fast.  Typical  proofs  from  policies  of  §8  requiring  as  many  as  1100  inference  steps  can  be 
constructed  by  the  tool  in  less  than  300nrs. 


Proof  verification.  Proofs  establishing  access  must  be  verified  using  a  PCFS  command 
line  tool  called  pcfs-verify.  Unlike  the  proof  search  tool,  this  tool  is  a  trusted  com¬ 
ponent  of  PCFS,  and  users  are  obliged  to  use  it.  The  tool  implements  the  verification 
algorithm  explained  in  §5.2  and  relies  on  three  special  files  config-file,  declarations, 
and  shared-key  that  are  within  the  PCFS  file  system  and  protected  by  it  (see  §7.2.2  for 
details).  Specifically,  given  a  proof  term  V.  policy  rules  n  in  the  form  of  certificates,  k,  /, 
and  r/,  the  tool  proceeds  as  follows. 

-  It  checks  all  certificates  as  explained  earlier. 

-  It  reads  the  sorting  £  from  the  file  declarations.  This  file  also  contains  the  arities 
and  expected  sorts  of  arguments  of  all  predicate  and  function  symbols,  using  which 
the  well-formedness  of  all  formulas  in  n,  and  the  well-formedness  of  s,  k,  /,  ?y,  and  V 
are  checked.1 

-  It  reads  the  identity  of  principal  admin  who  is  responsible  for  authorizing  access  from 

config-file. 

-  It  tries  to  find  C  and  X  such  that  £,  ctime:time;  •;  •;  n  \~u  V  -4=  admin  says  (may  k  f  rj)  o 
[ctime,  ctime]  \  C;X,  as  explained  in  §5.2.1. 

If  all  checks  succeed  the  tool  reads  the  key  for  signing  procaps  from  the  file  shared-key,  and 
issues  the  procap  (k,  f,rj,C,I,sig)  to  the  user.  As  explained  in  §5.2.3,  this  procap  can  be 
used  by  k  to  authorize  permission  r]  on  file  /  whenever  the  conditions  C  and  X  are  satisfied. 
In  particular,  if  V  satisfies  £;-;X;  n  \~u  V  -4=  admin  says  (may  k  f  rj)  o  [14,^2],  then  as 
discussed  in  §5.2.2,  these  conditions  will  always  be  satisfied  in  system  state  E,  provided 
that  the  time  of  access  lies  between  u\  and  U2- 

The  tool  pcfs-verify  must  run  with  the  user  id  of  a  privileged  user  called  pcfssystem 
in  order  to  read  the  secret  key  for  signing  procaps,  as  discussed  in  greater  detail  in  §7.2.2. 
This  is  ensured  by  making  pcfssystem  the  owner  of  the  binary  file  pcfs-verify,  and  setting 
the  setuid  bit  on  it. 


1We  have  not  formalized  in  this  thesis  how  well-formedness  is  checked,  but  it  is  straightforward.  Briefly, 
well-formedness  ascertains  that  the  arguments  of  all  predicates  and  function  symbols  have  the  stipulated 
sorts. 
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Procap  injection.  Communication  of  procaps  from  the  front  end  to  the  back  end  of 
PCFS  is  via  a  store  within  the  PCFS  file  system.  The  front  end  provides  a  command 
line  tool  called  pcfs-qprocap  to  inject  procaps  generated  by  the  verifier  into  this  store.2 3 
Alternatively,  the  beneficiary  of  a  procap  may  copy  the  procap  into  the  store  directly.  The 
organization  of  the  procap  store  is  described  in  §7.2.2. 

7.2  The  PCFS  Back  End 

The  PCFS  back  end  handles  file  system  calls,  looks  up  relevant  procaps  in  the  procap  store, 
checks  them  to  authorize  access,  and  performs  file  I/O.  In  this  sense  the  back  end  of  PCFS 
is  the  actual  “file  system”;  the  front  end  supports  it  by  providing  a  BL-based  framework  for 
generating  procaps  from  proofs  of  authorization.  The  back  end  can  be  used  as  a  file  system 
with  any  other  mechanism  that  can  generate  procaps. 

The  current  implementation  of  the  PCFS  back  end  is  a  local  file  system  for  Linux-based 
operating  systems  that  contain  the  Fuse  kernel  module  [1].  Technically,  PCFS  is  a  virtual 
file  system  that  performs  procap-based  authorization  checks  and  then  uses  an  underlying  file 
system  for  disk  I/O.  For  all  experiments  reported  in  this  chapter,  the  underlying  file  system 
is  ext3.  Using  an  underlying  file  system  has  the  merit  that  it  avoids  the  need  to  re-implement 
disk  I/O,  but  the  two-tier  architecture  adversely  affects  performance,  particularly  because  it 
involves  inter-process  communication  (explained  below) .  Even  with  this  virtual  organization 
the  performance  of  the  back  end  is  very  good  and  high  enough  for  most  practical  intents 
and  purposes  (see  §7.3  for  details). 

PCFS  is  mounted  using  the  command,  where  /path/to/src  is  an  existing  directory  in 
an  ext3  (or  other)  file  system,  and  /path/to/mountpoint  is  an  empty  directory. 

$>  sudo  pcfs-main  /path/to/src  /path/to/mountpoint 

After  the  execution  of  this  command,  any  file  system  call  on  a  path  like  /path/to/ 
mountpoint/f  oo/bar  results  in  a  corresponding  operation  on  /path/to/src/f  oo/bar,  but 
is  subject  to  procap-based  authorization  checks  that  are  described  in  §7.2.1.  To  prevent 
users  from  directly  using  the  underlying  file  system  to  access  data,  it  is  expected  that  own¬ 
ership  of  /path/to/src  on  the  underlying  file  system  will  be  set  to  the  superuser,  and  all 
access  on  it  will  be  turned  off.'1 

The  directory  /path/to/src  must  contain  a  special  subdirectory  named  /path/to/src/ 
#config,  which  is  visible  in  the  mounted  PCFS  file  system  at  /path/to/mountpoint/ 
#config.  This  subdirectory  contains  the  procap  store  as  well  as  other  configuration  pa¬ 
rameters  such  as  the  symmetric  key  used  to  sign  and  verify  procaps,  the  public  key  of  the 

2The  letter  ‘q’  in  the  name  pcfs-qprocap  stands  for  ‘quantified’,  which  is  an  allusion  to  the  ability  of  the 
tool  to  substitute  free  term  variables  in  a  procap  with  ground  terms  before  injecting  the  resulting  procap 
into  the  procap  store.  Although  such  substitutions  are  not  useful  in  ordinary  practice,  they  are  helpful  if 
procaps  are  generated  automatically  by  a  compiler.  Details  of  the  latter  may  be  found  in  joint  work  of  the 
author  and  Chaudhuri  [41]. 

3A  more  secure  method  to  prevent  access  via  the  underlying  file  system  is  to  keep  data  encrypted  on 
it,  and  to  decrypt  data  in  the  PCFS  back  end  after  making  access  checks.  We  have  not  implemented  this 
design,  since  our  objective  here  is  to  evaluate  the  performance  of  access  checks. 


156 


Chapter  7.  The  Proof-Carrying  File  System  (PCFS) 


certifying  authority  (§7.1),  arities  and  expected  sorts  of  arguments  of  all  predicates  and  func¬ 
tion  symbols,  and  the  user  id  of  the  principal  admin.  Since  /path/to/mountpoint/#conf  ig 
contains  sensitive  information  that  controls  access  to  all  other  files  and  directories,  access  to 
/path/to/mountpoint/#conf  ig  and  its  subpaths  is  not  governed  by  procaps,  but  by  rules 
that  are  hardcoded  in  the  back  end.  The  organization  of  this  special  subdirectory  and  rules 
for  access  to  it  are  discussed  in  §7.2.2.  Access  to  all  files  and  directories  outside  #conf  ig  is 
subject  to  procap-based  checks. 

Before  proceeding  to  explain  the  back  end  in  detail,  we  would  like  to  summarize  its 
implementation.  The  Fuse  kernel  module  on  which  PCFS  builds  works  by  trapping  any  file 
system  calls  made  on  subpaths  of  /path/to/mountpoint  and  redirecting  them  to  a  user-level 
server  process,  which  the  developer  of  the  file  system  must  provide.  The  interaction  between 
the  kernel  and  the  user-level  server  process  occurs  over  an  inter-process  communication 
(IPC)  channel.  The  Fuse  development  tool  kit  also  provides  a  stub  for  developing  the 
server  process,  reducing  the  code  development  effort  to  writing  one  function  for  handling 
each  file  system  call  like  open,  read,  write,  stat,  unlink,  rmdir,  rnkdir,  etc.  In  PCFS,  these 
handling  functions  look  up  relevant  procaps  from  the  procap  store,  parse  them,  check  them, 
decide  whether  or  not  to  allow  access,  and  then  repeat  the  same  call  that  they  were  handling 
on  /path/to/src,  after  which  the  underlying  file  system  performs  I/O.  (The  server  process 
runs  as  superuser  so  it  is  not  subject  to  any  access  checks  in  the  underlying  file  system.) 
It  is  in  handling  the  procaps  that  most  of  the  development  effort  in  the  back  end  lies.  In 
addition  to  looking  up,  parsing,  and  checking  procaps,  the  back  end  also  includes  an  in¬ 
memory  cache  that  stores  frequently  used  procaps  in  parsed  form.  This  cache  is  described 
in  §7.2.1.  The  entire  implementation  of  the  back  end  contains  approximately  10,000  lines 
of  C++  code,  and  relies  on  the  OpenSSL  library  for  verifying  the  cryptographic  signature 
on  procaps. 


Backwards  compatibility.  PCFS  is  highly  backwards  compatible.  Most  programs  like 
word  processors,  spreadsheets,  shell  commands,  compilers,  and  file  utilities  including  auto¬ 
matic  file  indexers  work  on  it  without  problems.  Part  of  this  compatibility  is  implicit  in  the 
fact  that  the  use  of  Fuse  ensures  that  PCFS  exposes  the  standard  Linux  system  call  API 
to  programs.  However,  this  alone  does  not  suffice.  Two  other  design  decisions  complement 
the  use  of  Fuse  in  providing  backwards  compatibility: 

-  First,  the  use  of  a  procap  store,  accessible  to  both  users  and  the  back  end  ensures 
that  no  extra  arguments  are  needed  to  pass  procaps  in  file  system  calls. 

-  Second,  files  created  by  programs  remain  accessible  to  them  temporarily  even  in  the 
absence  of  policy  rules  due  to  procaps  generated  by  the  file  system  itself.  This  is 
explained  in  §7.2.1. 

However,  PCFS  is  not  completely  backwards  compatible  because  it  does  not  strictly  follow 
POSIX  specifications  for  access  checks.  As  explained  in  §7.2.1,  deviation  from  POSIX  in 
this  regard  is  deliberate,  and  increases  the  range  of  policies  that  can  be  enforced  with  PCFS. 
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Operation 

Permissions  needed 

stat  /foo 

execute  on  /foo 

open  /foo  in  read  mode 

read  on  /foo 

open  /foo  in  write  mode 

write  on  /foo 

open  /foo  in  read/write  mode 

read  and  write  on  /foo 

opendir  /bar 

read  on  /bar 

create  /bar /foo 

write  on  /bar 

delete  /bar/foo 

identity  on  /bar/foo 

rename  /bar  to  /fool/foo2 

identity  on  /bar,  write  on  /foo2  if  /fool/foo2  exists 
identity  on  /bar,  write  on  /fool  if  /f ool/f oo2  does  not 
exist 

getxattr  on  /foo 

execute  on  /foo 

setxattr  on  /foo 

govern  on  /foo  if  attribute  starts  with  user.#pcfs., 
write  otherwise 

chown  on  /foo 

govern  on  /foo 

chmod  on  /foo 

write  on  /foo 

Figure  7.1:  Permissions  needed  to  perform  common  operations  in  PCFS 


7.2.1  Permissions  and  Access  to  Files 

The  content  of  this  section  assumes  knowledge  of  §5.2.3.  Readers  may  wish  to  revisit  that 
section  before  continuing. 

Access  to  files  and  directories  in  the  PCFS  back  end  is  based  on  permissions  that  are 
authorized  through  procaps.  As  explained  in  §5.2.3,  each  procap  gives  a  single  principal 
a  specific  permission  on  one  file  or  directory.  There  are  five  possible  permissions  -  read, 
write,  execute,  identity,  and  govern.  When  a  system  call  is  made  to  a  PCFS  file  system,  the 
server  process  first  determines  the  user  id  of  the  process  making  the  call.  This  information 
is  provided  by  a  Fuse  interface,  through  a  function  similar  to  the  POSIX  method  getuidQ. 
Next,  based  on  this  user  id,  the  path  name(s)  being  accessed,  and  the  specific  operation 
being  performed,  the  server  process  looks  up  the  procap  store  to  find  procaps  to  authorize 
relevant  permissions.  The  permissions  that  must  be  authorized  for  each  operation  are  listed 
in  Figure  7.1.  (Path  names  listed  in  the  figure  are  relative  to  the  PCFS  mount  point.) 
The  procap  store  is  indexed  by  user  ids,  path  names,  and  permissions;  its  organization  is 
described  in  §7.2.2.  If  all  required  procaps  are  found,  they  are  parsed,  their  cryptographic 
signatures  are  verified,  and  their  conditions  are  checked  as  described  in  §5.2.3.  Once  all 
these  checks  succeed,  the  operation  is  performed  using  the  underlying  file  system.  If  any 
steps  fail,  an  access  error  (POSIX  error  code  EACCES)  is  returned. 

The  PCFS  permissions  execute,  read,  and  write  roughly  correspond  to  POSIX  permis¬ 
sions  of  the  same  names.  The  execute  permission  is  needed  to  read  meta-data  of  a  file  or 
directory  (operations  stat  and  getxattr).  The  read  and  write  permissions  are  needed  to  read 
and  write  the  contents  of  a  file  respectively  (operation  open).  In  the  case  of  directories, 
the  read  permission  allows  reading  the  list  of  objects  in  the  directory  (operation  opendir), 
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while  the  write  permission  allows  creation  of  new  files  in  the  directory  (operation  create). 
In  compliance  with  POSIX  specifications,  PCFS  does  not  make  any  access  checks  during 
the  file  system  calls  read  and  write.  Instead,  relevant  checks  are  made  when  the  file  is 
opened  for  read  or  write  or  both.  However,  PCFS  can  be  forced  to  check  for  read  and  write 
permissions  during  every  read  and  write  through  an  option  in  the  PCFS  configuration  file 
config-file  that  is  explained  in  §7.2.2. 

In  addition  to  the  three  POSIX  permissions  execute,  read,  and  write,  PCFS  uses  two  more 
permissions  -  identity  and  govern  -  to  allow  finer  access  control.  The  identity  permission  is 
needed  for  operations  delete  and  rename  that  change  the  identity  of  a  file  or  directory.  In 
contrast  from  POSIX,  we  separate  the  permission  to  create  objects  in  a  directory  (write)  from 
the  permission  to  rename  or  delete  an  object  (identity)  because  deletion  and  renaming  have 
effects  very  different  from  file  creation  -  deleting  or  renaming  shared  files  and  directories 
may  adversely  affect  other  users’  work,  and  renaming  files  and  directories  also  affects  what 
policy  rules  apply  to  them  (recall  from  §4.3  that  files  and  directories  are  identified  in  policy 
rules  using  pathnames).  An  example  of  the  usefulness  of  the  separation  between  write  and 
identity  arises  in  the  case  study  of  §8,  where  individuals  may  be  allowed  to  create  files  with 
sensitive  information  but  not  to  delete  or  rename  them. 

The  govern  permission  is  needed  to  change  meta-data  of  a  file  on  which  policy  rules  may 
depend.  Recall  from  §4.3  that  the  implementation  of  BL  in  PCFS  supports  two  interpreted 
predicates  -  owner  /  k  which  checks  that  the  owner  of  file  /  is  k,  and  has  xattr  f  a  v 
which  checks  that  extended  attribute  user.^pcf s.a  on  file  /  is  set  to  v.  Accordingly,  to 
change  either  the  owner  (operation  chown)  or  the  value  of  an  extended  attribute  with  prefix 
user.^pcfs.  (operation  setxattr),  the  permission  govern  is  necessary.  Use  of  the  govern 
permission  is  illustrated  in  the  example  of  §4.3.3  and  in  the  case  study  of  §8. 

The  nine  POSIX  permission  bits,  commonly  written  rwxrwxrwx,  have  no  effect  in  PCFS, 
so  the  write  permission  suffices  to  change  them  (operation  chrnod).  Another  significant 
difference  from  POSIX  specifications  is  that  POSIX  requires  the  execute  permission  on  all 
ancestors  of  the  file  or  directory  on  which  an  operation  is  to  be  performed,  but  PCFS  does 
not  mandate  this  check.  Where  necessary,  the  check  may  forced  by  building  it  in  the  policy 
rules.  To  facilitate  the  latter,  the  PCFS  implementation  includes  the  constraints  isroot  d 
and  isparent  d  /,  which  mean  respectively  that  d  is  the  root  of  the  PCFS  file  system,  and 
that  d  is  the  parent  directory  of  /.  Using  these  constraints,  it  is  easy  to  encode  recursive 
checks  on  ancestor  directories  in  BL. 


Default  permissions.  Many  programs  create  files  during  their  execution,  to  which  they 
must  have  access  in  order  to  complete  their  tasks.  To  maintain  backwards  compatibility 
with  such  programs,  i.e.  to  not  force  modifications  to  the  programs  in  order  to  generate 
procaps  for  access  to  newly  created  files,  when  a  new  file  or  directory  is  created,  the  PCFS 
back  end  automatically  creates  and  injects  default  procaps  that  give  the  creator  of  the  file 
or  directory  read,  write,  execute,  and  identity  permissions  for  a  fixed  period  of  time  (in 
the  current  implementation  this  period  is  90  days,  but  that  can  be  changed  easily).  After 
this  period  elapses,  the  default  procaps  expire  and  policy  rules  must  be  created  to  control 
access  to  the  file.  Also,  every  default  procap  is  conditional  on  a  specific  extended  attribute 
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user.^pcf  s.newf  ile  being  set  to  1.  This  attribute  is  set  automatically  at  the  time  of 
creation.  Anyone  with  govern  permission  on  the  file  or  directory  may  prematurely  terminate 
access  through  default  procaps  by  changing  or  deleting  this  attribute.  In  situations  where 
default  procaps  are  unnecessary,  their  generation  may  be  suppressed  using  an  option  in  the 
configuration  file  config-file  as  explained  in  §7.2.2. 

7.2.2  Configuration  Files  and  the  Procap  Store 

PCFS  relies  on  a  significant  amount  of  configuration  information  as  well  as  the  procap  store, 
both  of  which  must  be  protected  from  unauthorized  access.  As  mentioned  in  the  beginning 
of  §7.2,  all  this  information  is  stored  in  a  directory  named  #conf  ig  which  is  present  in  the 
root  of  the  PCFS  file  system.  For  illustration,  we  assume  throughout  this  section  that  PCFS 
is  mounted  at  /pcf  s.  Accordingly,  the  configuration  directory  is  /pcf  s/#conf  ig.  Access  to 
the  configuration  directory  is  not  determined  through  procaps,  but  via  special  rules  that  are 
hardcoded  in  the  implementation  of  the  back  end.  In  particular,  PCFS  assumes  a  special 
user  referred  to  by  the  name  pcfssystem  in  this  chapter,  which  has  complete  access  to  this 
directory.  This  user  is  expected  to  perform  maintenance  tasks  on  the  file  system  such  as 
changing  its  configuration  files,  changing  the  symmetric  key  used  to  sign  procaps,  or  deleting 
unnecessary  procaps.  Another  important  role  of  pcfssystem  is  that  the  proof  verifier  runs 
with  its  user  id,  since  it  needs  access  to  the  symmetric  key  to  sign  procaps.  It  should  be 
noted  that  pcfssystem  may  be  (and  usually  should  be)  distinct  from  admin,  who  controls 
access  via  the  policy.  In  fact,  pcfssystem  should  not  appear  in  policies  at  all. 

The  following  is  a  list  of  files  and  directories  within  /pcf  s/#conf  ig,  together  with  a 
description  of  their  contents,  and  the  rules  for  access  to  them. 

/pcf  s/#conf  ig/conf  ig-f  ile:  File  containing  general  configuration  options,  includ¬ 
ing  those  listed  below.  Anyone  may  read  this  file,  but  only  pcfssystem  may  write  to 
it. 

1.  User  ids  of  the  principals  admin  and  pcfssystem. 

2.  Whether  or  not  default  procaps  discussed  in  §7.2.1  are  to  be  generated. 

3.  Whether  or  not  procaps  are  to  be  deleted  when  the  file  they  authorize  is  deleted 
or  renamed  (explained  later  in  this  section). 

4.  Size  of  the  in-memory  procap  cache,  which  is  explained  later  in  this  section. 

/pcf  s/#conf  ig/shared-key:  Contains  the  shared  key  used  to  sign  procaps.  Only 
pcfssystem  may  read  or  write  this  file. 

/pcf  s/#conf  ig/ca-pubkey  .pem:  Contains  the  public  key  of  the  certifying  authority 
who  signs  associations  between  other  public  keys  and  users  (§7.1).  Anyone  may  read 
this  file,  but  only  pcfssystem  may  write  to  it. 

/pcf s/#conf  ig/declarations:  Contains  the  sorts  of  all  constants  (i.e.  E),  as  well 
as  the  arities  and  expected  sorts  of  arguments  of  all  predicates  and  function  symbols 
allowed  in  policies.  Anyone  may  read  this  file,  but  only  pcfssystem  may  write  to  it. 
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/pcf  s/#conf  ig/procaps/:  This  directory  contains  procaps  and  constitutes  what  we 
have  been  calling  the  procap  store.  Its  organization  is  discussed  next,  pcfssystem  has 
full  access  to  this  directory,  and  other  users  have  access  to  specific  subdirectories  only. 


The  procap  giving  the  right  ( k,f,r 7)  is  stored  in  the  file  /pcf  s/#conf  ig/procaps/<A;>/ 
</>. perm.<77>.  Here  <k>  is  the  user  id  of  the  user  k,  </>  is  the  path  of  the  file  /  (relative 
to  the  mount  point),  and  <rj>  is  a  textual  representation  of  the  permission.  Thus  each 
procap  is  stored  in  a  separate  file,  and  further  for  each  right  (k,f,  rj),  there  can  be  at 
most  one  procap  that  authorizes  the  right.  While  this  may  be  restrictive,  it  makes  look 
up  extremely  easy  since  the  exact  path  where  a  procap  is  to  be  found  can  be  determined 
simply  by  knowing  the  PCFS  mount  point  and  the  right  ( k,f,rj }.  To  prevent  denial  of 
service  attacks  and  to  protect  user  privacy,  the  PCFS  back  end  ensures  that  only  user  k 
can  access  (read,  write,  or  delete)  files  inside  /pcf  s/#conf  ig/procaps/<£;>/. 

Since  pcfssystem  has  full  access  to  all  files  and  directories  within  /pcf  s/#conf  ig/,  its 
user  account  is  a  very  attractive  target  for  attack.  If  an  attacker  gains  control  of  this 
user  account,  it  can  read  the  secret  key  used  to  sign  and  verify  procaps,  and  inject  fake 
procaps  to  access  other  files.  To  prevent  this,  the  PCFS  server  process  denies  pcfssystem 
all  permissions  in  other  directories  within  the  file  system. 


Automatic  procap  deletion.  To  prevent  unnecessary  procaps  from  accumulating  in  the 
procap  store,  the  PCFS  back  end,  by  default,  deletes  all  procaps  associated  with  a  file  or 
directory  when  the  latter  is  deleted  or  renamed.  This  is  a  costly  operation,  as  is  evident 
from  microbenchmarks  (§7.3).  Such  automatic  deletion  of  procaps  can  be  prevented  by 
setting  an  option  in  the  file  /pcf s/#conf ig/conf  ig-f  ile.  In  its  place,  pcfssystem  may 
periodically  run  a  simple  script  that  removes  all  procaps  which  authorize  files  that  do  not 
exist. 


In-memory  procap  cache.  Since  procaps  are  stored  in  files,  and  one  or  more  of  them 
must  be  read  to  authorize  almost  every  operation  on  a  PCFS  file  system,  it  is  helpful  to 
cache  commonly  used  procaps  in  memory  to  improve  performance.  Accordingly,  PCFS 
uses  a  least  recently  used  (LRU)  in-memory  cache,  whose  size  can  be  adjusted  through  an 
option  in  the  file  /pcf  s/#conf  ig/conf  ig-f  ile.  The  cache  stores  parsed  procaps,  whose 
signatures  have  already  been  verified.  The  only  cost  involved  in  using  a  cached  procap  is 
checking  its  conditions  (C  and  Z  from  §5.2.1).  This  is  extremely  fast  and  usually  takes 
only  lO-TOO/US.  In  contrast,  seeking  the  procap  on  disk  may  take  a  few  milliseconds,  and 
parsing  it  often  takes  up  to  70fis.  As  a  result  of  this  cache  PCFS  obtains  extremely  high 
performance  when  the  number  of  files  in  use  is  small.  We  evaluate  the  effect  of  the  cache 
with  different  hit  rates  in  §7.3.  The  PCFS  back  end  automatically  marks  a  cached  procap 
dirty  if  its  corresponding  file  on  disk  changes  or  is  deleted.  This  forces  the  cached  procap 
to  be  read  again  from  the  disk  whenever  it  is  needed  next. 
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7.3  Performance  Evaluation  of  the  Back  End 

In  this  section,  we  present  results  of  evaluation  of  the  performance  of  the  PCFS  back  end 
through  benchmarks.  Specifically,  we  evaluate  the  overhead  of  access  checks  during  read, 
write,  stat,  create,  and  delete  operations,  and  measure  the  effectiveness  of  the  in-memory 
procap  cache  through  microbenchmarks.  To  evaluate  performance  in  practice,  we  also 
present  the  results  of  two  simple  macrobenchmarks.  Since  we  are  primarily  interested  in 
measuring  the  overhead  of  procap-based  access  checks,  our  baseline  for  comparing  perfor¬ 
mance  is  a  Fuse-based  file  system  that  does  not  perform  the  corresponding  checks,  but 
otherwise  runs  a  server  process  and  uses  an  underlying  ext3  file  system,  just  as  PCFS  does. 
We  call  this  file  system  Fuse/Null.  For  macrobenchmarks  we  also  compare  with  a  native 
ext3  file  system.  All  measurements  reported  here  were  made  on  a  2.4GHz  Core  Duo  2 
machine  with  3GB  RAM  and  a  7200RPM  100GB  hard  disk  drive,  running  the  Linux  kernel 
2.6.24-23. 


Read  and  write  throughput.  As  mentioned  in  §7.2.1,  by  default,  PCFS  does  not  make 
any  access  checks  when  read  or  write  operations  are  performed  on  a  previously  opened  file. 
As  a  result  its  read  and  write  throughput  is  very  close  to  that  of  Fuse/Null.  The  following 
table  summarizes  the  read  and  write  throughputs  of  PCFS  and  Fuse/Null  based  on  reading 
and  writing  a  1GB  file  sequentially  using  the  Bonnie++  test  suite  [47]. 


Operation 

PCFS  (MB/s) 

Fuse/Null  (MB/s) 

Read 

538.69 

567.47 

Write 

73.18 

76.05 

Even  if  access  checks  on  every  read  and  write  are  enabled,  the  read  and  write  throughputs 
do  not  show  a  significant  change  as  long  as  required  procaps  remain  cached  in  memory. 

File  stats  and  effectiveness  of  caching.  Besides  read  and  write,  two  other  very  com¬ 
mon  file  operations  are  open  and  stat  (reading  a  file’s  meta-data).  In  terms  of  access  checks, 
both  are  similar,  since  usually  one  procap  must  be  checked  in  each  case.4  We  report  in  the 
table  below  the  speed  of  the  stat  operation  and  the  effect  of  the  in-memory  procap  cache 
with  different  hit  rates.  All  measurements  are  reported  in  number  of  operations  per  second, 
as  well  as  time  taken  per  operation.  The  title  n%  indicates  a  measurement  with  a  cache  hit 
rate  of  n%.  For  comparison  performance  of  Fuse/Null  is  also  shown.  The  figures  are  based 
on  choosing  a  random  file  20,000  times  in  a  directory  containing  exactly  20,000  files,  and 
stating  it.  To  get  a  hit  rate  of  n%,  the  cache  size  is  set  to  n/100  x  20000,  and  the  cache  is 
warmed  a  priori  with  random  procaps.  It  is  easy  to  prove  that  for  an  LRU  cache  this  re¬ 
sults  in  a  hit  rate  of  exactly  n%  when  subsequent  files  (procaps)  are  also  chosen  at  random. 
All  procaps  used  here  are  default  procaps,  whose  conditions  include  two  constraints  of  the 
form  u\  <  U2  (without  hypotheses),  and  one  interpreted  predicate  of  each  of  the  two  forms 
has  xattr  and  owner. 

4Two  procaps  must  be  checked  when  a  file  is  opened  in  read  and  write  modes  simultaneously. 
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Cache  hit  rate  — * 

0% 

50% 

90% 

95% 

98% 

100% 

Fuse/Null 

Stats  per  second 

5774 

7186 

8871 

9851 

11879 

23652 

36042 

Time  per  stat  (^ s) 

173.2 

139.2 

112.7 

101.5 

84.2 

42.2 

27.7 

As  can  be  seen  from  this  table,  the  procap  cache  is  extremely  helpful  in  attaining  efficiency. 
The  difference  of  the  time  values  in  the  last  two  columns  is  an  estimate  of  the  time  it  takes 
to  check  a  cached  procap  (i.e.  the  time  needed  to  check  the  conditions  in  a  procap).  In  this 
case,  this  time  is  42.2  —  27.7  =  14.5/xs.  This  estimate  is  rough,  and  the  actual  time  varies 
with  the  complexity  of  the  conditions  in  the  procap.  In  other  experiments,  we  have  found 
that  this  time  varies  from  10  to  100/us.  By  taking  the  difference  of  the  time  values  in  the 
first  and  last  columns,  we  obtain  an  estimate  of  the  time  required  to  read  a  procap,  check 
its  signature,  parse  the  procap,  and  check  its  conditions.  In  this  experiment,  this  time  is 
173.2  —  27.7  =  145.5/US.  Additional  time  may  be  needed  to  seek  to  the  procap  on  disk, 
which  was  most  likely  not  counted  here,  since  the  procaps  used  were  in  a  single  directory 
in  the  underlying  file  system,  hence  making  the  latter’s  cache  very  effective.  Nonetheless, 
this  suggests  that,  in  general,  procap  checking  is  dominated  by  reading  and  parsing  times. 
The  signatures  we  use  for  procaps  are  message  authentication  codes,  which  can  be  verified 
in  1  to  2//s  each. 

File  creation  and  deletion.  The  table  below  lists  the  number  of  create  and  delete 
operations  per  second  that  are  supported  by  PCFS  and  Fuse/Null.  These  are  measured  by 
creating  and  deleting  10,000  files  in  a  single  directory. 


Operation 

PCFS  (op/s) 

Fuse/Null  (op/s) 

Create 

1386 

4738 

Delete 

1989 

15429 

PCFS  is  approximately  3.5  times  slower  than  FUSE/Null  in  creating  files.  This  is  because  in 
this  experiment  PCFS  also  created  six  default  procaps  for  every  file  created.  As  a  result,  the 
PCFS  numbers  measure  creation  of  seven  times  as  many  files  in  three  separate  directories. 
Deletion  in  PCFS  in  this  experiment  is  nearly  7.7  times  slower  than  that  in  Fuse/Null. 
This  is  because  when  a  file  is  deleted  in  PCFS,  one  procap  must  be  looked  up,  parsed, 
and  checked,  and  all  procaps  related  to  the  file  must  later  be  deleted.  In  this  case,  each 
file  deletion  in  PCFS  corresponds  to  seven  file  deletions  on  the  ext3  file  system  in  three 
different  directories.  The  effect  of  the  procap  cache  is  negligible  during  these  experiments, 
since  the  cache  size  was  kept  very  small  as  compared  to  the  number  of  files. 

In  summary,  assuming  a  low  rate  of  cache  misses,  the  performance  of  PCFS  on  common 
file  operations  like  read,  write,  stat,  and  open  is  comparable  to  that  of  Fuse/Null.  On  the 
other  hand,  less  common  operations  like  create  and  delete  are  slower  because  procaps  must 
be  managed. 

Macrobenchmarks.  To  understand  the  performance  of  PCFS  in  practice,  we  also  ran 
two  simple  macrobenchmarks.  The  first  (called  OpenSSL  in  the  table  below),  untars  the 
OpenSSL  source  code,  compiles  it  and  deletes  it.  The  other  (called  Fuse  in  the  table 


163 


Chapter  7.  The  Proof-Carrying  File  System  (PCFS) 


below),  performs  similar  operations  for  the  source  of  the  fuse  kernel  module  five  times  in 
sequence.  As  can  be  seen,  the  performance  penalty  for  PCFS  as  compared  to  Fuse/Null 
is  approximately  10%  for  OpenSSL,  and  2.5%  for  Fuse.  The  difference  arises  because  the 
OpenSSL  benchmark  depends  more  on  file  creation  and  deletion  as  compared  to  the  Fuse 
benchmark. 


Benchmark 

PCFS  (s) 

Fuse/Null  (s) 

Ext3  (s) 

OpenSSL 

126 

114 

94 

Fuse  x  5 

79 

77 

70 

In  practice,  a  file  system  like  PCFS  may  be  used  for  protecting  sensitive  files,  common 
operations  on  which  (such  as  viewing  and  editing  through  interactive  editors)  may  be  far  less 
file  operation-intensive  than  the  macrobenchmarks  here.  In  those  cases,  the  performance  of 
PCFS  will  be  closer  to  that  of  Fuse/Null  and  ext3,  than  reported  in  the  above  table. 

7.4  Trusted  Code  Base  and  Trust  Assumptions 

We  conclude  this  chapter  with  a  discussion  of  the  trusted  code  base  (TCB)  in  the  implemen¬ 
tation  of  PCFS,  and  the  trust  assumptions  on  the  environment  in  which  PCFS  operates. 
Readers  should  bear  in  mind  that  the  main  purpose  of  implementing  PCFS  is  only  to  show 
that  dynamic  access  policies  can  be  enforced  efficiently  with  procaps;  minimizing  the  trusted 
computing  base  and  reducing  trust  assumptions  on  the  environment  are  not  important  ob¬ 
jectives  of  this  thesis. 

Trusted  Code  Base.  For  the  PCFS  front  end,  the  primary  trusted  code  base  is  the  im¬ 
plementation  of  the  proof  verifier,  which  is  approximately  5300  lines  of  SML  code  including 
code  for  parsing  and  checking  certificates  in  a  custom  format.  In  addition,  the  front  end 
relies  on  OpenSSL  for  cryptographic  operations.  As  in  all  PCA  deployments,  the  automatic 
prover  for  BL  is  not  part  of  the  TCB.  For  a  practical  deployment,  a  public-key  infrastruc¬ 
ture  may  be  used  to  manage  signing  and  verification  keys,  which  would  also  become  part 
of  the  TCB. 

The  PCFS  back  end  runs  over  Fuse,  which  is  a  module  in  the  Linux  kernel.  In  the 
broadest  sense,  therefore,  the  TCB  for  the  back  end  includes  the  entire  Linux  kernel.  Dis¬ 
counting  the  Linux  kernel  and  the  Fuse  module,  the  TCB  for  the  back  end  includes  code 
for  parsing,  caching,  and  checking  procaps,  and  a  small  amount  of  stub  code  for  handling 
kernel  upcalls.  Together  they  constitute  approximately  10,000  lines  of  C++  code.  The  back 
end  also  relies  on  OpenSSL  for  verification  of  signatures  on  procaps. 

Trust  Assumptions.  The  PCFS  front  end  relies  on  the  assumption  that  honest  users 
and,  in  particular,  policy  administrators  protect  their  signing  keys.  If  this  were  not  the  case 
then  malicious  users  could  forge  certificates  and  gain  access.  Along  similar  lines,  the  user 
designated  admin  must  be  completely  trusted  because  it  may  create  any  access  policy.  Since 
access  rights  in  PCFS  are  tied  to  actual  Linux  users,  it  is  also  assumed  that  user  accounts 
are  securely  protected. 
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PCFS  is  implemented  as  a  virtual  file  system  and  data  is  protected  on  the  underlying 
file  system  (e.g.,  ext3)  by  giving  its  ownership  to  the  superuser.  Consequently,  three  trust 
assumptions  are  that  (a)  The  superuser  account  is  securely  protected,  (b)  The  superuser 
is  trustworthy,  and  (c)  The  access  control  mechanisms  on  the  underlying  file  system  work 
correctly  for  data  owned  by  the  superuser.  Further,  we  must  also  rely  on  the  environment 
to  ensure  that  file  data  is  not  leaked  through  interfaces  besides  the  file  system  interface 
(e.g.,  data  may  be  leaked  through  memory  maps  of  files).  It  is  also  assumed  that  the 
communication  between  the  kernel  and  the  PCFS  server  listening  to  kernel  upcalls  is  secure. 
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Case  Study:  Access  Control  for 
Classified  Information  in  the  U.S. 


This  chapter  is  a  case  study  for  the  use  of  our  proof-carrying  file  system  PCFS  and  our 
authorization  logic  BL.  The  subject  of  the  case  study  are  policies  that  control  dissemination 
of  classified  information  in  the  hands  of  intelligence  and  defense  agencies  in  the  U.S.  We 
show  that  these  policies,  which  are  quite  extensive  as  well  as  dynamic  due  to  their  reliance 
on  both  system  state  as  well  as  explicit  time,  can  be  represented  in  BL  and  enforced  with 
PCFS.  The  content  of  this  chapter  also  appeared  previously  in  a  technical  report  that  was 
authored  jointly  with  Frank  Pfenning,  Denis  Serenyi,  and  Brian  Witten  [69]. 

The  primary  source  of  policies  formalized  in  this  chapter  is  interviews  of  intelligence 
personnel  conducted  by  Brian  Witten  and  Denis  Serenyi,  and  provided  to  the  author  in  the 
form  of  five  internal  reports  as  part  of  a  government  contract.  Some  parts  of  policies  are 
based  on  Executive  Orders  of  the  White  House  [110,  111]  or  Director  of  Central  Intelligence 
Directives  (DCIDs)  [108,  109].  Due  to  this  mixed  source  of  information,  we  do  not  explicitly 
cite  our  sources  again.  None  of  the  information  on  which  this  chapter  relies  is  classified. 
Despite  the  realistic  sources  of  the  policies,  the  chapter  should  not  be  construed  as  an 
authoritative  reference  on  policies  for  controlling  access  to  classified  information,  or  of  the 
actual  practices  followed  for  their  enforcement  in  intelligence  and  defense  establishments. 
The  only  intention  of  the  chapter  is  to  show  that  BL  is  expressive  enough  to  encode  a  large, 
representative  part  of  the  policies,  which  can  then  be  enforced  directly  in  PCFS. 

The  rest  of  this  chapter  is  organized  as  follows.  §8.1  provides  an  overview  of  classified 
information,  including  the  life  cycle  of  a  sensitive  file  and  the  high  level  policy  rules  for 
access  to  sensitive  files.  §8.2  describes  the  process  of  file  classification,  relevant  properties 
of  a  classified  file,  and  formal  rules  for  establishing  these  properties.  §8.3  presents  rules  for 
giving  security  clearances  to  individuals;  these  clearances  are  necessary  to  read  classified 
files.  §8.4  explains  how  properties  of  a  classified  file  and  security  clearances  of  individuals 
interact  to  allow  access.  §8.5  summarizes  conclusions  and  observations  from  the  case  study. 
§8.6  lists  all  logic  predicates  used  in  this  chapter,  together  with  their  intuitive  meanings 
and  the  sections  in  which  they  are  defined. 
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Notational  conventions.  Before  proceeding  to  read  this  chapter,  readers  may  wish  to 
review  the  material  in  §4.1  and  §4.3  to  refresh  their  memory  about  the  syntax  of  BL  and 
conventions  for  its  use  in  PCFS.  We  follow  a  descriptive  naming  convention  for  predicates.  A 
predicate  name  has  the  form  entity/attribute/ . . .,  where  entity  determines  the  entity  whose 
attribute  the  predicate  describes  and  attribute  is  a  description  of  the  property  the  predicate 
defines.  “. . .”  may  be  any  other  relevant  qualifiers.  Common  among  these  qualifiers  is  h 
which  denotes  a  helper  predicate  that  is  used  in  the  definition  of  the  predicate  without  the 
h.  As  before,  interpreted  predicates  are  written  in  boldface. 

Recall  from  §4.3  that  policy  rules  in  BL  are  represented  through  basic  judgments  of 
the  form  k  claims  s  o  \u\,U2\.  For  brevity,  throughout  this  chapter,  we  drop  the  prefix 
o  [«i,U2]  if  it  is  [— oo,+oo].  Following  this  convention,  most  policy  rules  in  this  chapter  are 
written  as  k  claims  s,  when  we  actually  mean  k  claims  s  o  [— oo,+oo].  Following  standard 
convention  from  logic  programming,  variable  names  starting  with  uppercase  letters  are 
implicitly  universally  quantified.  In  general,  the  universal  quantification  occurs  inside  the 
annotation  k  claims  •.  So  k  claims  s  really  means  k  claims  (VX.s)  o  [— oo,+oo],  where 
X  is  the  set  of  all  variables  starting  with  uppercase  letters  in  s.  Finally,  we  often  write 
s  si, . . . ,  sn  to  mean  (si  A  . . .  A  sn)  D  s. 

8.1  Sensitive  Information  Life  Cycle 

This  section  provides  an  overview  of  classification  and  declassification  of  information  in 
the  U.S.  Unfortunately,  some  of  the  concepts  and  methods  involved  in  classification  are 
themselves  classified  and  inaccessible  to  us.  What  follows  is  an  abstracted  and  simplified 
description  of  some  of  the  publicly  available  concepts.  The  first  salient  point  about  clas¬ 
sification  is  that  depending  on  the  structure  of  information,  the  amount  of  data  classified 
together  may  vary:  entire  files,  pages,  or  paragraphs  may  be  marked  for  classification  as  a 
unit.  In  this  chapter,  we  assume  that  the  unit  of  classification  is  a  digital  file,  since  it  is  at 
that  level  that  we  are  interested  in  controlling  access  in  PCFS. 

A  typical  sensitive  file  created  by  an  intelligence  or  defense  agency  goes  through  the  life 
cycle  depicted  in  Figure  8.1.  There  are  4  distinct  states,  which  we  discuss  below.  Transitions 
between  these  states  are  discussed  in  §8.1.2. 

-  Default.  Every  newly  created  file  starts  in  a  temporary  state,  which  we  call  the 
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default  state.  Only  the  individual  creating  the  file  has  read  and  write  access  to  a  file 
in  this  state.  A  default  file  may  subsequently  either  be  designated  a  working  paper, 
or  it  may  be  deleted. 

-  Working  paper.  A  working  paper  is  a  file  that  will  eventually  be  classified,  but 
whose  content  has  not  been  finalized.  When  in  this  state,  read  and  write  access  to  the 
file  is  at  the  discretion  of  the  agency  or  group  that  is  working  on  the  file.  A  file  stays 
in  this  state  for  at  most  90  days,  after  which  it  must  either  be  classified,  reviewed 
again  and  placed  in  the  same  state,  declassified,  or  deleted. 

-  Classified.  After  the  content  of  a  working  paper  is  finalized,  it  is  classified.  Read 
access  to  a  classified  file  is  based  on  several  properties  of  the  classification  (e.g.,  secrecy 
level,  compartments,  etc.)  that  are  decided  when  the  file  is  classified.  These  properties 
are  discussed  in  §8.2.  In  addition,  the  agency  that  owns  the  file  must  authorize  every 
read  access  to  a  classified  file.  Official  guidelines  do  not  specify  who,  if  anyone,  has 
write  access  to  a  classified  file.  Since  changing  the  content  of  a  classified  file  may 
require  reclassification,  it  seems  reasonable  to  assume  that  classified  files  cannot  be 
written,  and  we  make  this  assumption  throughout  this  chapter.  Owing  to  concerns  of 
accountability,  we  also  assume  that  a  classified  file  cannot  be  deleted. 

-  Declassified.  A  file  may  be  released  to  the  public  (declassified)  in  two  ways:  (a) 
through  an  executive  order,  or  (b)  through  an  automatic  expiration  of  the  classification 
at  a  stipulated  point  of  time.  In  this  chapter  we  make  the  simplifying  assumption  that 
a  declassified  file  may  be  read  by  anyone.  In  actual  practice,  a  file  may  be  declassified 
to  specific  groups  of  people,  e.g.,  U.S.  citizens.  As  for  classified  files,  we  assume  that 
declassified  files  cannot  be  deleted. 


8.1.1  Representation  of  File  State  in  PCFS 

To  represent  the  state  of  a  file,  we  use  extended  attributes  that  are  natively  supported  in 
PCFS.  Recall  from  §4.3  that  the  state  predicate  (has  xattr  /  a  v)  holds  in  BL  if  and  only 
if  the  file  /  has  the  extended  attribute  named  user.^pcf  s.o  set  to  the  term  v.  v  can  be  any 
term  in  BL.  We  use  a  specific  extended  attribute  user. #pcfs. status  with  different  values 
to  record  the  state  of  a  file.  These  values  and  their  meanings  are  summarized  below.  The 
name  “user. #pcfs. status”  is  abbreviated  to  status  throughout. 


Value  of  extended  attribute 
status  on  file  F 

Meaning 

default 

F  is  in  default  state 

working  T 

F  is  a  working  paper,  put  into  that  state  at  time  T 

classified  T  T' 

F  is  classified,  effective  from  time  T  to  time  T' 

declassified 

F  is  declassified 
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When  a  file  is  created  PCFS  automatically  sets  its  extended  attribute  status  to  default,  and 
its  owner  to  the  principal  who  creates  the  file.1  The  time  point  T  in  the  value  working  T 
represents  the  time  at  which  the  working  paper  state  is  effective.  This  is  important  because 
a  working  paper  can  be  read  and  written  only  for  90  days  after  it  enters  the  state.  Similarly, 
the  time  point  T'  in  classified  T  T'  is  necessary  to  determine  when  the  classification  will 
expire.  If  a  classification  lacks  a  fixed  expiration,  the  BL  constant  +oo  may  be  used  for  T' . 

8.1.2  File  State  Transition 

A  central  question  regarding  file  states  is  who  changes  the  states  of  a  file.  As  described 
in  §4.3  and  §7.2.1,  PCFS  supports  administrative  roles  for  such  purposes  by  requiring  a 
special  permission  called  govern  for  modifying  any  extended  attribute  of  a  file  whose  name 
starts  with  the  prefix  user.fypcf  s.,  or  its  owner.  An  individual  who  has  this  permission  on 
a  file  may  use  either  the  standard  Linux  system  call  setxattr  or  the  command  line  program 
setfattr  to  change  extended  attributes  of  the  file.  For  our  proposed  enforcement  we  as¬ 
sume  that  only  a  special  principal  sysadmin  (intended  to  represent  a  system  administrator) 
is  allowed  the  govern  permission  on  all  files,  as  formalized  by  the  following  rule: 

admin  claims  (may  sysadmin  F  govern). 

No  other  rule  in  our  formalization  allows  the  govern  permission  on  any  file.  Hence  sysadmin 
alone  may  change  the  status  of  a  file,  and  affect  its  state.  Of  course,  state  changes  cannot 
be  made  ad  hoc;  sysadmin  must  perform  these  transitions  only  under  certain  conditions. 
The  conditions  necessary  for  each  transition  in  Figure  8.1  are  listed  below,  together  with 
additional  changes  that  must  be  made  with  the  transition.  Since  PCFS  only  performs  access 
control  on  files,  and  policies  cannot  control  the  values  that  file  attributes  may  assume,  these 
conditions  cannot  be  enforced  by  PCFS.  Instead,  we  must  assume  that  sysadmin  follows 
these  guidelines  accurately. 

-  Default  to  working  paper:  This  transition  may  be  applied  at  the  discretion  of  the 
owner  (creator)  of  the  file.  The  status  of  the  file  must  be  set  to  working  T  where  T  is 
the  time  at  which  the  transition  is  applied,  and  the  owner  of  the  file  must  be  changed 
from  the  creator  of  the  file  to  the  agency  or  group  that  is  working  on  the  file  (or  their 
representative) . 

-  Working  paper  to  working  paper:  The  purpose  of  this  transition  is  to  extend  the  90 
day  working  period  of  a  file.  It  may  be  applied  at  the  discretion  of  the  file’s  owner, 
which  will  be  the  group  or  agency  working  on  the  file.  The  status  of  the  file  must  be 
set  to  working  T  where  T  is  the  time  at  which  the  transition  is  applied. 

-  Working  paper  to  declassified:  This  transition  can  only  be  applied  after  approval  from 
an  authority  competent  to  certify  that  the  file  does  not  have  information  that  needs  to 

xAs  discussed  in  §7.2.1,  in  the  actual  implementation  of  PCFS,  the  attribute  status  is  called  newfile,  and 
the  value  default  is  1.  Since  the  difference  is  merely  cosmetic,  we  use  the  more  meaningful  names  status  and 
default  here. 
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be  classified.  Such  authorities  are  called  Original  Classification  Authorities  or  OCAs 
(see  §8.2). 

-  Working  paper  to  classified:  This  transition  must  also  be  approved  by  an  OCA.  In 
addition,  a  number  of  credentials  must  be  issued  by  different  officials  to  approve 
this  authorization,  and  to  decide  the  classified  file’s  secrecy  level,  compartments,  etc. 
(Compartments  are  discussed  in  §8.2.2.)  These  credentials  are  described  in  §8.2.4.  The 
status  of  the  file  must  be  set  to  classified  T  T' ,  where  T  is  the  time  of  the  transition, 
and  T'  is  determined  by  the  OCA  approving  the  transition. 

-  Classified  to  declassified:  There  is  no  need  to  explicitly  apply  this  transition  when  the 
classification  on  a  file  expires,  since  the  access  policies  (§8.1.3)  automatically  allow 
everyone  read  access  after  that  time.  The  transition  is  needed  only  to  prematurely 
declassify  a  file.  In  that  case,  approval  from  an  OCA  is  needed. 

8.1.3  Rules  for  Access  to  Files 

Next  we  formalize  in  BL  the  highest  level  policy  rules  for  file  access.  Access  to  a  file  depends 
on  its  state,  and  follows  the  informal  guidelines  described  at  the  beginning  of  §8.1.  We  group 
our  rules  by  the  state  to  which  they  apply. 


Default.  In  default  state,  a  file  may  be  read,  written,  and  deleted  only  by  its  owner.  This 
is  captured  by  the  following  rules.  The  first  rule  states  that  it  is  the  admin’s  policy  that 
if  file  F  is  in  default  state  (condition  has  xattr  F  status  default)  and  F  is  owned  by  K 
(condition  owner  K  F),  then  K  may  read  F.  The  second  and  third  rules  similarly  allow 
K  to  write  and  delete  F  respectively.  The  term  identity  used  in  the  third  rule  is  the  PCFS 
permission  needed  to  delete  a  file  (§7.2.1).  We  remind  the  reader  that  s  :-  s\,...,sn  is 
notation  for  (si  A  . . .  A  sn)  D  s. 


admin  claims  ((may  K  F  read)  :- 

has  xattr  F  status  default, 
owner  F  K). 
admin  claims  ((may  K  F  write)  :- 

has  xattr  F  status  default, 
owner  F  K). 

admin  claims  ((may  K  F  identity)  :- 

has  xattr  F  status  default, 
owner  F  K). 


Working  Paper.  If  a  file  F  is  marked  as  a  working  paper  at  time  T,  then  for  90  days 
after  T,  F  may  be  read,  written,  or  deleted  at  the  discretion  of  the  owner  of  file  (which,  as 
described  in  §8.1.2,  may  be  an  agency  or  group).  This  is  enforced  by  the  following  rules. 
90 d  denotes  90  days,  and  is  X  E  is  the  special  constraint  that  checks  the  equality  of  E 
and  X  (see  §4.3).  The  conditions  K'  says  (may  K  F  read),  K'  says  (may  K  F  write),  and 
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K'  says  (may  K  F  identity)  delegate  authorization  to  K' ,  the  owner  of  file  F. 

admin  claims  (((may  K  F  read) 

has  xattr  F  status  (working  T), 
owner  F  K' , 

K'  says  (may  K  F  read), 
is  V  (T  +  90d))  @  [T,  T')). 

admin  claims  (((may  K  F  write) 

has  xattr  F  status  (working  T), 
owner  F  K' , 

K'  says  (may  K  F  write), 
is  V  (T  +  90d))  @  [T,T']). 

admin  claims  (((may  K  F  identity) 

has  xattr  F  status  (working  T), 
owner  F  K' , 

K'  says  (may  K  F  identity), 
is  V  (T  +  90d))  @  [T,  T')). 

It  is  instructive  to  observe  the  role  of  the  @  connective  in  enforcing  the  90  day  restriction. 
For  example,  it  is  a  consequence  of  the  first  rule  that  for  any  time  point  u  €  [T,T  +  90 d\  at 
which  has  xattr  F  status  (working  T),  owner  F  K' ,  and  K'  says  (may  K  F  read)  all  hold, 
admin  says  (may  K  F  read)  also  holds.  This  is  not  the  case  if  u  0  [T,  T  +  90d].  If  90  days 
elapse  since  a  file  is  made  a  working  paper,  none  of  the  above  rules  allow  any  access  to  it. 
In  that  case,  only  the  principal  sysadmin  has  govern  permission  to  the  file  (§8.1.2),  and  this 
principal  must  be  asked  to  adjust  the  status  of  the  file. 


Classified.  Read  access  to  a  classified  file  is  based  on  properties  of  its  classification  such  as 
its  secrecy  level,  compartments,  etc.,  as  well  as  corresponding  credentials  of  the  principal  to 
whom  access  is  given.  We  capture  these  with  the  predicate  indi/has-clearances/f  ile  K  F 
which  means  that  principal  K ’s  credentials  suffice  to  allow  it  access  to  F.  A  large  part  of 
the  chapter  is  devoted  to  describing  how  this  critical  predicate  is  established;  it  is  defined 
formally  in  §8.4.  In  addition  to  these  properties  and  credentials,  read  access  to  a  classified 
file  is  contingent  on  authorization  from  the  file’s  owner.  The  following  rule  specifies  this 
formally. 

admin  claims  (((may  K  F  read) 

has  xattr  F  status  (classified  T  T'), 
indi/has-clearances/f ile  K  F, 
owner  F  K' , 

K'  says  (may  K  F  read))  @  [ T,T "]). 

The  annotation  @  [T,  T ']  restricts  the  scope  of  this  rule  to  the  duration  for  which  the  file  is 
classified.  After  T',  the  file  is  readable  by  everyone  (described  next). 


Declassified.  A  file  is  considered  declassified  if  either  its  status  is  marked  as  such,  or  if 
the  file  is  marked  classified,  but  the  classification  has  expired.  In  both  cases,  anyone  may 
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read  the  file.  This  is  captured  by  the  following  rules. 

admin  claims  ((may  K  F  read)  :- 

has  xattr  F  status  declassified). 

admin  claims  (((may  K  F  read) 

has_xattr  F  status  (classified  T  T'))  @  [T',+oo]). 

A  consequence  of  the  second  rule  is  that  if  has  xattr  F  status  (classified  T  T'),  then  for 
every  time  point  u  >  T’ ,  (admin  says  (may  K  F  read))  @  [ u,u] .  This  does  not  hold  for 
u  <  Tl . 

Provisions  for  Counterintelligence  Personnel 

In  addition  to  the  above  rules,  there  are  provisions  to  allow  counterintelligence  personnel 
to  read  all  files  that  may  contain  incriminating  evidence  against  an  individual  they  are 
investigating.  Presumably,  these  provisions  apply  to  files  in  all  states.  It  is  unclear  how 
counterintelligence  personnel  are  assigned  to  investigate  individuals,  and  how  it  may  be 
decided  whether  a  file  has  incriminating  evidence  against  a  suspect  or  not.  In  our  for¬ 
malization  we  assume  that  a  special  principal  oracle  can  determine  these  facts  accurately. 
Formally,  let  the  predicate  indi/is-ci  K  K 1  mean  that  principal  K  is  a  counterintelligence 
officer  investigating  principal  K' ,  and  let  indi/is-associated  K 7  F  mean  that  file  F  may 
have  incriminating  evidence  against  the  suspect  principal  K1 .  The  following  rule  states  that 
if  the  principal  oracle  states  both  these  predicates,  then  K  may  read  file  F. 

admin  claims  ((may  K  F  read) 

oracle  says  (indi/is-ci  K  K'), 

oracle  says  (indi/is-associated  K'  F)). 

The  principal  oracle  appears  at  many  places  in  the  rest  of  this  chapter.  In  each  such  case,  it 
is  assumed  to  assert  relevant  facts  whose  source  is  either  unclear  or  unspecific  from  official 
documents. 

8.2  File  Classification 

In  §8.1.2  we  stated  that  when  a  file  is  classified,  a  number  of  credentials  must  be  issued 
to  determine  properties  of  the  file  such  as  its  secrecy  level,  associated  compartments,  etc. 
This  section  explains  these  credentials  in  detail,  as  well  as  BL  rules  which  combine  these 
credentials  to  establish  properties  of  a  classified  file.  We  start  with  an  intuitive  explanation 
of  these  properties,  and  subsequently  present  BL  rules  to  establish  them. 

Briefly,  there  are  three  relevant  properties  of  a  classified  file,  each  of  which  must  be 
established  before  the  file  can  be  accessed  (more  precisely,  these  properties  must  be  known 
in  order  to  establish  the  predicate  indi/has-clearances/f  ile  K  F  from  §8.1.3) :2 

JIt  is  possible  that  there  are  other  relevant  properties  in  practice,  but  these  three  properties  appear  to 
be  sufficiently  representative. 
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-  Secrecy  level:  A  secrecy  level  is  an  indicator  of  the  sensitivity  of  the  contents  of  a  file. 
It  is  one  of  confidential,  secret,  or  topsecret,  in  increasing  order  of  sensitivity.3  Read 
access  to  a  classified  file  is  restricted  to  individuals  who  have  a  secrecy  clearance  at  a 
level  equal  to  or  greater  than  the  secrecy  level  of  the  file. 

-  Citizenship  requirement:  A  set  of  countries  is  associated  with  every  classified  file. 
Access  is  restricted  only  to  citizens  of  those  countries,  and  to  those  of  the  U.S.  A  com¬ 
monly  used  abbreviation  is  “NOFORN”  (no  access  to  foreigners),  which  corresponds 
to  an  empty  list  of  countries. 

-  Associated  compartments:  A  compartment  is  a  description  of  the  purpose  of  a  file, 
e.g.,  a  project  name  or  a  division  within  the  intelligence  community.  Every  classified 
file  is  associated  with  zero  or  more  compartments.  Read  access  to  a  classified  file  is 
restricted  only  to  those  individuals  who  are  associated  with  at  least  all  compartments 
that  the  file  is  associated  with. 

Policies  for  giving  clearances  to  individuals  are  discussed  in  §8.3.  In  this  section  we  discuss 
rules  pertaining  to  compartment  creation  and  establishment  of  the  properties  listed  above. 

8.2.1  Original  Classification  Authorities 

The  authority  to  decide  which  file  needs  to  be  classified,  and  what  secrecy  level,  citizen¬ 
ship  requirements,  and  associated  compartments  a  classified  file  will  have  rests  with  very 
high  ranking  officers  of  the  executive  branch  of  the  government  and  their  representatives. 
These  individuals  are  called  Original  Classification  Authorities  or  OCAs.  We  do  not  model 
formally  how  OCAs  are  determined.  Instead,  we  assume  that  the  principal  oracle  (intro¬ 
duced  in  §8.1.3)  names  OCAs.  Let  the  predicate  indi/is-oca  O  mean  that  principal  O  is  an 
OCA.  Then  the  following  rule  delegates  authority  over  this  predicate  from  admin  to  oracle. 

admin  claims  ((indi/is-oca  O)  :- 

oracle  says  (indi/is-oca  O)). 


8.2.2  Compartments 

As  mentioned  earlier,  a  compartment  describes  the  purpose  of  information  it  labels.  For 
example,  a  compartment  may  be  the  name  of  an  intelligence  project.  Files  that  have  at 
least  one  compartment  associated  with  them  are  called  compartmentalized  files.  The  pur¬ 
pose  of  associating  a  file  with  compartments  is  to  restrict  access  to  only  those  individuals 
who  are  affiliated  with  each  of  those  compartments.  In  addition  to  restricting  access,  com¬ 
partments  associated  with  a  classified  file  play  a  vital  role  in  determining  its  secrecy  level 
and  citizenship  requirements,  as  we  discuss  later  in  this  section. 

3There  is  another  secrecy  level  called  sbu  (sensitive  but  unclassified),  or  “for  official  use  only”.  Files  at 
this  level  are  not  classified  -  sbu  is  merely  a  directive  to  officials  to  be  more  careful  than  usual  when  handling 
such  files.  Therefore,  we  do  not  consider  sbu  in  our  formalization. 
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Compartment  creation.  A  compartment  is  created  by  an  OCA.  The  OCA  also  fixes  sev¬ 
eral  parameters  that  determine  when  an  individual  may  be  cleared  into  the  compartment. 
Of  these  parameters,  we  model  three  prominent  ones  in  this  chapter:  (1)  The  minimum 
secrecy  level  at  the  which  the  individual  must  be  cleared,  (2)  The  minimum  level  of  back¬ 
ground  check  the  individual  must  pass,  and  (3)  Whether  or  not  the  individual  has  to  pass 
a  polygraph  test.  Formally  we  define  the  predicate  compartment/is  C  L  L'  B  to  mean 
that  C  is  a  valid  compartment  (in  practice,  C  is  a  unique  string  naming  the  compartment), 
clearance  into  which  requires: 

-  A  secrecy  clearance  at  level  L  or  higher.  Secrecy  clearances  are  described  in  §8.3.2. 

-  A  background  check  equivalent  to  that  needed  for  secrecy  clearance  at  level  L'  or 
higher.  Background  checks  are  described  in  §8.3.1. 

-  A  polygraph  test  if  the  boolean  B  is  yes.  Alternatively,  if  B  is  no,  then  a  polygraph 
test  is  not  necessary  to  be  cleared  into  C.  Polygraph  tests  are  described  in  §8.3.1. 

The  following  rule  delegates  the  authority  to  create  compartments  from  admin  to  every 
OCA  O. 

admin  claims  ((compartment/is  G  L  L'  B)  :- 

indi/is-oca  O, 

O  says  (compartment/is  C  L  L'  B )). 


SSO  and  SCG.  When  a  compartment  is  created,  an  OCA  appoints  a  special  security 
officer  (SSO)  to  manage  the  compartment.  Afterwards,  a  set  of  guidelines  for  managing  all 
information  associated  with  the  compartment  is  prepared.  This  set  of  guidelines  is  called 
the  compartment’s  security  classification  guide  (SCG);  it  must  be  approved  by  both  an  OCA 
and  the  SSO  of  the  compartment  to  which  the  SCG  pertains.  Among,  other  things,  the 
SCG  lays  down  procedures  for  deciding  the  secrecy  level  and  citizenship  requirements  of  any 
file  associated  with  the  compartment.  As  a  result,  when  a  file  is  classified,  its  associated 
compartments  must  be  decided  first,  and  subsequently  its  secrecy  level  and  citizenship 
requirements  must  be  determined  using  the  SCGs  of  all  the  associated  compartments. 

In  our  formal  model  we  abstract  away  the  details  of  an  SCG,  and  treat  it  only  as  a 
symbolic  constant.  Let  the  predicate  compartment/has-sso  C  S  mean  that  principal  S  is 
compartment  C’s  special  security  officer,  and  let  compartment /has- scg  C  SCG  mean  that 
SCG  is  the  security  classification  guide  of  compartment  C.  Then,  the  first  rule  below  allows 
an  OCA  O  to  assign  an  SSO  S'  to  a  compartment  C,  while  the  second  rule  states  that  both 
an  OCA  and  the  SSO  of  compartment  C  must  approve  C’s  SCG. 

admin  claims  ((compartment/has-sso  C  S)  :- 

indi/is-oca  O, 

O  says  (compartment/has-sso  C  S)). 
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admin  claims  ((compartment/has-scg  C  SCG ) 

indi/is-oca  O, 

O  says  (compartment/has-scg  C  SCG), 
compartment /has-sso  C  S, 

S  says  (compartment/has-scg  C  SCG)). 

8.2.3  Establishing  File  Properties 

Next,  we  discuss  and  formalize  rules  for  determining  a  file’s  secrecy  level,  its  citizenship 
requirements,  and  its  associated  compartments.  As  mentioned  in  §8.2.2,  the  compartments 
associated  with  a  file  must  be  decided  first  since  they  are  necessary  to  authorize  the  file’s 
secrecy  level  and  citizenship  requirements. 

Determining  a  file’s  associated  compartments.  Let  the  predicate 
f  ile/has-compartments  F  CL  mean  that  file  F  is  associated  with  exactly  the  compart¬ 
ments  in  the  list  CL.  As  per  official  guidelines,  establishing  this  predicate  requires  two  kinds 
of  approvals:  (a)  an  approval  from  an  OCA  stating  that  this  should  be  the  case,  and  (b) 
approvals  from  the  SSOs  of  all  compartments  in  the  list  CL  stating  that  the  file  may  be  asso¬ 
ciated  with  all  the  compartments  in  CL.  Modeling  the  second  requirement  in  BL  is  slightly 
tricky;  we  use  a  recursively  defined  helper  predicate  f  ile/has-compartments/h  F  CL  CL' 
which  means  that  the  SSOs  of  all  compartments  in  CL'  agree  that  F  should  be  associated 
with  all  compartments  in  CL.  The  following  rule  uses  this  predicate  with  CL'  =  CL  to 
allow  a  file  to  be  associated  with  a  list  of  compartments  CL. 

admin  claims  ((f ile/has-compartments  F  CL)  :- 

indi/is-oca  O, 

O  says  (f  ile/has-compartments  F  CL), 
file/has-compartments/h  F  CL  CL). 

The  following  two  rules  define  the  helper  predicate  file/has-compartments/h  F  CL  CL' 
by  induction  on  CL' .  The  symbol  nil  denotes  the  empty  list  and  |  is  an  infix  cons  constructor. 

admin  claims  (file/has-compartments/h  F  CL  nil). 

admin  claims  ((file/has-compartments/h  F  CL  (C'  \  CL'))  :- 

compartment /has-sso  C1  S, 

S  says  (f ile/has-compartments  F  CL), 
file/has-compartments/h  F  CL  CL'). 

The  second  rule  above  means  that  admin  will  believe  that  the  SSOs  of  all  compartments  in 
C'  |  CL'  agree  that  F  should  be  associated  with  the  compartments  in  CL  if  (a)  The  SSO  S 
of  compartment  C  agrees  to  this  fact  (first  two  conditions  of  the  rule)  and  (b)  Recursively, 
the  SSOs  of  all  compartments  in  CL'  agree  to  this  fact  (third  condition). 

Determining  a  file’s  secrecy  level.  As  per  official  guidelines,  a  file’s  secrecy  level  may 
be  set  to  L  if:  (a)  an  OCA  says  that  this  should  be  case,  and  (b)  the  SSOs  of  all  compart¬ 
ments  associated  with  the  file  agree  that  the  SCGs  of  their  respective  compartments  allow 
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the  file  to  be  given  secrecy  level  L.  Formally,  let  the  predicate  f  ile/has-level  F  L  mean 
that  file  F  has  secrecy  level  L,  and  f  ile/has-level/h  F  L  CL  mean  that  the  SSOs  of  all 
compartments  in  CL  agree  that  F  may  be  given  secrecy  level  L  in  accordance  with  their 
respective  SCGs.  Then  the  following  rule  formally  captures  the  above  conditions  for  giving 
the  secrecy  level  L  to  file  F. 

admin  claims  ((f ile/has-level  F  L)  :-  indi/is-oca  O, 

O  says  (f  ile/has-level  F  L), 
f ile/has-compartments  F  CL, 
f  ile/has-level/h  F  L  CL). 

The  following  two  rules  define  the  predicate  f  ile/has-level/h  F  L  CL  by  induction  on 
CL.  The  predicate  f  ile/has-level/scg  F  L  SCG  is  intended  to  mean  that  the  security 
classification  guide  SCG  mandates  that  file  F  be  given  secrecy  level  L. 

admin  claims  (f  ile/has-level/h  F  L  nil). 

admin  claims  ((f ile/has-level/h  F  L  {C  \  CL1))  :- 

compartment /has-sso  C'  S , 
compartment /has-scg  C'  SCG, 

S  says  (f  ile/has-level/scg  F  L  SCG), 
f ile/has-level/h  F  L  CL'). 

According  to  the  second  rule  above,  admin  believes  that  the  SSOs  of  all  compartments  in 
C’  |  CL'  agree  that  F  should  have  secrecy  level  L  if  (a)  the  SSO  S  of  C'  states  that  this 
assignment  of  level  would  be  in  accordance  with  the  SCG  of  C'  (third  condition  of  the  rule), 
and  (b)  Recursively,  the  SSOs  of  all  compartments  in  CL'  agree  with  this  assignment  (fourth 
condition).  It  follows  from  these  rules  that  if  there  are  no  compartments  associated  with 
a  file  F,  i.e.,  if  admin  says  (f ile/has-compartments  F  nil),  then  an  OCA  O’s  statement 
O  says  (f  ile/has-level  F  L)  suffices  to  give  a  security  level  L  to  a  file. 

The  second  rule  above  is  an  example  of  exclusive  delegation  that  was  introduced  in  §3.1.2 
because  the  rule  gives  principal  S  authority  over  the  predicate  f  ile/has-level/scg,  but 
the  principal  admin  who  gives  this  authority  has  no  jurisdiction  over  the  predicate. 


Determining  a  file’s  citizenship  requirements.  Determining  the  citizenship  require¬ 
ments  for  reading  a  file  is  similar  to  determining  the  file’s  secrecy  level  -  an  OCA  must 
approve  the  list  of  countries  to  whose  citizens  access  should  be  restricted,  and  the  SSOs 
of  all  compartments  associated  with  the  file  must  certify  that  this  list  would  be  allowed 
by  their  respective  SCGs.  Formally,  let  the  predicate  f  ile/has-citizenship  F  UL  mean 
that  reading  file  F  requires  a  citizenship  of  one  of  the  countries  in  UL  (or  of  the  U.S.), 
f  ile/has-citizenship/h  F  UL  CL  mean  that  the  SSOs  of  all  compartments  in  CL  agree 
with  this  requirement,  and  f ile/has-citizenship/scg  F  UL  SCG  mean  that  SCG  ap¬ 
proves  this  requirement.  Then  the  following  three  rules  may  be  used  to  determine  a  file’s 
citizenship  requirements. 
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admin  claims  ((f ile/has-citizenship  F  UL )  :- 

indi/is-oca  O, 

O  says  (f ile/has-citizenship  F  UL), 
f ile/has-compartments  F  CL, 
f  ile/has-citizenship/h  F  UL  CL). 

admin  claims  (f ile/has-citizenship/h  F  UL  nil). 

admin  claims  ((f ile/has-citizenship/h  F  UL  {C  \  CL1))  :- 

compartment /has-sso  C'  S, 
compartment /has-scg  C'  SCG, 

S  says  (file/has-citizenship/scg  F  UL  SCG), 
f ile/has-citizenship/h  F  UL  CL'). 

As  in  the  case  of  rules  for  determining  secrecy  levels,  if  there  are  no  compartments  associated 
with  a  file  F,  i.e.,  if  admin  says  (f  ile/has-compartments  F  nil),  then  an  OCA  O’s  statement 
O  says  (f  ile/has-citizenship  F  UL)  suffices  to  give  a  citizenship  requirement  UL  to  a 
file. 

8.2.4  Summary  of  File  Classification 

As  mentioned  in  §8.1.2,  before  setting  a  file  F’s  status  attribute  to  classified  T  T' ,  the  princi¬ 
pal  sysadmin  must  ensure  that  enough  credentials  are  in  place  to  determine  the  file’s  secrecy 
level,  citizenship  requirements,  and  associated  compartments.  The  credentials  required  fol¬ 
low  from  the  rules  discussed  in  §8.2.3,  and  are  summarized  below.  Although  not  formalized 
here,  T  and  T'  must  also  be  obtained  from  an  OCA. 

•  Credentials  to  determine  associated  compartments  CL 

—  An  OCA  O  must  issue  the  credential  O  claims  (f  ile/has-compartments  F  CL). 

—  For  every  compartment  C  E  CL,  the  SSO  S  of  C  must  issue  the  credential 
S  claims  (f  ile/has-compartments  F  CL). 

•  Credentials  to  determine  secrecy  level  L 

—  An  OCA  O  must  issue  the  credential  O  claims  (f  ile/has-level  F  L). 

—  For  every  compartment  C  E  CL,  where  CL  is  the  list  from  the  previous  point, 
the  SSO  S  of  C  must  issue  the  credential  S  claims  (f  ile/has-level/scg  F  L 
SCG),  where  SCG  is  the  security  classification  guide  of  C. 

•  Credentials  to  determine  citizenship  requirements  UL 

—  An  OCA  O  must  issue  the  credential  O  claims  (f  ile/has-citizenship  F  UL). 

—  For  every  compartment  C  E  CL,  where  CL  is  the  list  from  the  first  point,  the  SSO 
S  of  C  must  issue  the  credential  S  claims  (file/has-citizenship/scg  F  UL 
SCG),  where  SCG  is  the  security  classification  guide  of  C. 
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In  practice,  any  issued  credential  will  be  valid  for  only  a  stipulated  duration  of  time.  This 
gets  represented  in  BL  through  the  @  connective.  For  example,  if  an  OCA  O  says  that 
file  F  should  have  secrecy  level  L  from  2009  to  2011,  this  would  be  represented  in  BL  as 
{O  claims  (f ile/has-level  F  L))  o  [2009:01:01:00:00:00,2011:12:31:23:59:59].  In  general, 
the  validities  of  all  credentials  in  the  list  above  may  be  restricted  using  explicit  time.  BL’s 
inference  rules  propagate  these  time  restrictions  to  other  facts  derived  from  the  credentials 
and  policy  rules. 


8.3  Individual  Clearances 

Individuals  require  clearance  both  at  secrecy  levels  and  into  compartments,  as  well  as  citi¬ 
zenship  of  specific  countries  to  read  classified  files.  We  call  these  three  primary  clearances 
of  individuals.  In  order  to  obtain  primary  clearances,  other  auxiliary  clearances  are  needed. 
These  include  polygraph  tests  and  background  checks.  In  this  section  we  formalize  the 
methods  for  obtaining  auxiliary  clearances,  as  well  as  rules  for  combining  them  to  determine 
clearance  at  secrecy  levels  and  into  compartments.  We  start  with  the  auxiliary  clearances. 

8.3.1  Auxiliary  Clearances 

Polygraph  clearance.  Individuals  may  need  to  pass  a  polygraph  test  to  get  clearance 
into  certain  compartments  (§8.2.2  and  §8.3.2).  Polygraph  tests  are  administered  and  cer¬ 
tified  by  trained  individuals,  whom  we  call  polygraph  administrators.  The  procedures  for 
identifying  polygraph  administrators  are  beyond  the  scope  of  our  formalization;  we  simply 
assume  that  oracle  names  polygraph  administrators.  Let  indi/is-polygraph-admin  PA 
mean  that  principal  PA  is  a  trusted  polygraph  administrator,  and  let  indi /has-polygraph  K 
mean  that  principal  K  has  passed  a  polygraph  test.  The  following  rule  states  that  if  oracle 
says  that  PA  is  a  polygraph  administrator,  and  PA  says  that  K  has  passed  a  polygraph 
test,  then  admin  will  believe  the  latter. 

admin  claims  ((indi/has-polygraph  K )  :- 

oracle  says  (indi/is-polygraph-admin  PA), 

PA  says  (indi/has-polygraph  K)). 

Background  checks.  A  background  check  certifies  an  individual’s  past.  It  is  necessary 
to  get  clearance  both  at  secrecy  levels  and  into  compartments.  There  are  two  commonly 
used  background  checks:  (1)  National  Agency  Check  with  Local  Agency  Check  and  Credit 
Check  or  NACLC,  and  (2)  Single  Scope  Background  Investigation  or  SSBI.  NACLC  is 
an  investigation  of  an  individual’s  criminal  records  and  credit  history.  SSBI  includes  the 
NACLC  and  in  addition  requires  interviews  of  colleagues  and  investigation  of  family  history. 
We  assume  that  certain  principals  called  background  administrators  are  certified  to  check 
others’  backgrounds.  Background  administrators  are  assumed  to  be  determined  by  the 
principal  oracle. 

From  the  perspective  of  formalization,  it  is  very  convenient  to  abstract  background 
checks  by  the  secrecy  level  for  which  they  are  mandatory.  Informally  speaking,  for  example, 
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a  background  check  at  level  confidential  would  correspond  to  a  background  check  that  is 
needed  to  get  clearance  at  secrecy  level  confidential.  This  kind  of  an  abstraction  is  useful 
because,  as  per  official  guidelines,  background  checks  conducted  for  clearance  at  secrecy  lev¬ 
els  expire  at  fixed  intervals  of  time,  and  a  similar  expiration  applies  to  other  applications  of 
background  checks  (e.g.,  for  clearance  into  compartments).  The  actual  check  corresponding 
to  each  secrecy  level  and  its  expiration  time  is  shown  in  the  table  below. 


Abstract  level  of  background  check 

Actual  background  check  needed  and  ex¬ 
piration 

confidential 

NACLC,  expires  in  15  years 

secret 

NACLC,  expires  in  10  years 

topsecret 

SSBI,  expires  in  5  years 

Let  indi/is-background-admin  BA  mean  that  principal  BA  is  a  background  administra¬ 
tor.  Further  let  indi/has-naclc  K  T  mean  that  principal  K  passed  an  NACLC  at  time  T, 
and  indi/has-ssbi  K  T  mean  that  principal  K  passed  an  SSBI  at  time  T.  The  following 
rules  define  the  predicate  indi /has-background  I\  L,  which  means  that  principal  K  has  a 
background  check  that  is  needed  for  clearance  at  secrecy  level  L.  There  are  three  rules,  one 
for  each  possible  value  of  L.  A  salient  point  to  observe  is  the  use  of  the  @  connective  for 
automatically  expiring  background  checks  in  accordance  with  the  table  above.  The  symbol 
y  following  a  number  means  “years”.  Hence  15 y  means  15  years.  As  an  example,  the  first 
rule  below  means  that  if  oracle  states  that  BA  is  a  background  administrator  and  BA  states 
that  K  passed  an  NACLC  at  time  T,  then  admin  believes  that  K  has  a  background  check 
at  level  confidential  in  the  interval  [T,T  +  15 y\. 

admin  claims  (((indi/has-background  K  confidential)  :- 

oracle  says  (indi/is-background-admin  BA), 

BA  says  (indi/has-naclc  K  T ), 
is  V  (T  +  15y))  @  [T,  T'\). 
admin  claims  (((indi/has-background  K  secret)  :- 

oracle  says  (indi/is-background-admin  BA), 

BA  says  (indi/has-naclc  K  T), 
is  V  (T+lOy))  @  [T,  T'\). 

admin  claims  (((indi/has-background  K  topsecret)  :- 

oracle  says  (indi/is-background-admin  BA), 

BA  says  (indi/has-ssbi  K  T), 
is  V  ( T+5y ))  @  [T,  T'\). 

The  remaining  policy  rules  refer  only  to  the  predicate  indi/has-background  K  L,  not  to 
the  predicates  indi/has-naclc  K  T  and  indi/has-ssbi  K  T.  It  is  instructive  to  observe 
that  the  @  connective  in  the  above  policy  rules  is  placed  outside  the  implication  :-.  This 
is  important.  For  example,  although  perhaps  reasonable  at  a  first  glance,  the  following 
alternate  encoding  of  the  third  rule  is  in  fact  incorrect,  as  explained  below. 


4In  practice,  the  NACLC  for  secret  clearance  may  be  more  extensive  than  the  NACLC  for  confidential 
clearance.  Even  if  there  is  such  a  distinction,  we  blur  it  in  our  formalization. 
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admin  claims  ((indi/has-background  K  topsecret)  @  [T,  T'\ 

oracle  says  (indi/is-background-admin  BA), 

BA  says  (indi/has-ssbi  K  T), 
is  T  (T  +  by)). 

The  problem  with  this  alternate  rule  is  that  it  does  not  force  a  relation  between  the  intervals 
over  which  oracle  says  (indi/is-background-admin  BA)  and  BA  says  (indi/has-ssbi  K  T) 
are  established  and  the  interval  over  which  admin  says  (indi/has-background  K  topsecret) 
is  deduced.  In  particular,  for  any  intervals  \u\,u?\,  \u\ .  v/2]-,  and  [u'{ ,  u'f]  C  [T,T  +  5 y\, 
this  policy  rule  together  with  oracle  says  (indi/is-background-admin  BA)  o  [**1,1*2]  and 
BA  says  (indi/has-ssbi  K  T)  o  \u\ ,  ut2]  implies  admin  says  (indi/has-background  K 
topsecret)  o  [uf ,  u'f] ,  which  is  incorrect  since,  from  an  informal  understanding  of  the  rule, 
we  would  expect  that  [tt  1,1*2]  2  ['A ,  *4]  2  \u'[ ,  u'f]  be  required. 

8.3.2  Primary  Clearances 

An  individual’s  clearance  at  a  secrecy  level,  clearance  into  compartments,  as  well  as  citizen¬ 
ship  directly  determine  what  classified  files  she  has  access  to.  We  now  describe  rules  that 
define  how  these  are  determined. 

Citizenship.  We  assume  that  oracle  decides  the  citizenship  of  each  individual.  Let 
indi/has-citizenship  K  U  mean  that  principal  K  is  a  citizen  of  country  U.  The  fol¬ 
lowing  rule  delegates  authority  over  this  predicate  from  admin  to  oracle. 

admin  claims  ((indi/has-citizenship  K  U)  :- 

oracle  says  (indi/has-citizenship  I\  U)). 

A  useful,  related  predicate  is  indi/has-citizenship/list  K  UL,  which  means  that  K  is 
a  citizen  of  at  least  one  of  the  countries  in  the  list  UL.  The  following  two  rules  define  this 
predicate  by  induction  on  the  list  UL. 

admin  claims  ((indi/has-citizenship/list  K  (U  \  UL))  :- 

indi/has-citizenship  K  U). 

admin  claims 

((indi/has-citizenship/list  K  ( U  \  UL))  :- 

oracle  claims  (indi/has-citizenship/list  K  UL)). 

Clearance  at  secrecy  levels.  As  mentioned  in  §8.3.1,  an  individual  must  pass  a  back¬ 
ground  check  at  level  L  in  order  to  get  clearance  at  secrecy  level  L.  In  addition,  the 
individual  must  have  a  need  to  get  the  clearance.  Since  the  factors  determining  this  need 
are  varied  and  are  not  completely  specified,  we  simply  assume  here  that  oracle  may  assert 
this  need.  Let  indi/has-level  K  L  mean  that  individual  K  has  clearance  at  secrecy  level 
L,  and  indi/needs-level  K  L  mean  that  principal  K  has  a  need  to  get  clearance  at  se¬ 
crecy  level  L.  level/below  L  L'  means  that  level  L  is  below  the  level  L'  in  the  order 
confidential  <  secret  <  topsecret.  It  is  defined  later.  The  following  rule  states  that  admin 
will  believe  that  K  has  clearance  at  secrecy  level  L  if  oracle  says  that  K  needs  this  clearance, 
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and  I\  has  passed  a  background  check  at  some  level  L'  which  is  higher  than  L. 

admin  claims  ((indi/has-level  K  L) 

oracle  says  (indi/needs-level  K  L ), 
indi/has-background  K  L\ 
level/below  L  L'). 

As  formalized  in  §8.3.1,  the  validity  of  indi/has-background  K  L'  is  limited  to  15,  10,  or 
5  years  depending  on  L' .  The  above  rule  and  the  inference  rules  of  BL  transfer  the  same 
restrictions  to  indi/has-level  K  L.  The  predicate  level/below  is  defined  by  the  rules 
below.  Since  it  is  reasonable  to  assume  that  all  principals  agree  on  the  definition  of  the 
predicate,  these  rules  are  stated  by  the  strongest  principal  £  (Recall  that  according  to  BL’s 
inference  rules,  (£  says  s)  D  (k  says  s)  for  every  k  and  s). 

£  claims  (level/below  L  L). 

£  claims  (level/below  confidential  secret). 

£  claims  (level/below  secret  topsecret). 

£  claims  (level/below  confidential  topsecret). 

Clearance  into  compartments.  As  mentioned  in  §8.2.2,  to  be  cleared  into  a  compart¬ 
ment,  an  individual  must  satisfy  all  its  requirements  -  secrecy  level,  background  check, 
and  a  polygraph  test  if  needed.  These  requirements  are  uniquely  determined  from  the 
predicate  compartment/is  C  L  L'  B,  which  is  established  when  the  compartment  C  is 
created.  Let  the  predicates  indi/has-comp-level  K  C,  indi/has-comp-background  K  C, 
and  indi/has-comp-polygraph  K  C  mean  that  an  individual  has  clearance  at  an  appropri¬ 
ate  secrecy  level,  background  check,  and  polygraph  check  (if  needed)  for  being  cleared  into 
compartment  C.  The  following  rules  define  these  predicates  by  considering  respectively  the 
2nd,  3rd,  and  4th  arguments  of  the  predicate  compartment/is  C  L  L'  B.  An  underscore 
__  represents  an  implicitly  named  variable,  whose  instantiated  value  is  irrelevant  to  the  rule. 

admin  claims  ((indi/has-comp-level  K  C )  :- 

compartment/is  CL _ , 

indi/has-level  K  L" , 
level/below  L  L"). 

admin  claims  ((indi/has-comp-background  K  C)  :- 

compartment/is  C _ L' _ , 

indi/has-background  K  L" , 
level/below  L'  L"). 

admin  claims  ((indi/has-comp-polygraph  K  C )  :- 

compartment/is  C _ yes, 

indi/has-polygraph  K). 

admin  claims  ((indi/has-comp-polygraph  K  C )  :- 

compartment/is  C _ no). 
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Using  the  above  predicates,  we  define  the  predicate  indi/has-compartment  K  C  which 
means  that  an  individual  K  is  cleared  into  the  compartment  C.  An  important  fact  to  ob¬ 
serve  here  is  that  in  addition  to  satisfying  the  three  requirements  of  the  compartment,  the 
SSO  S  of  the  compartment  must  certify  the  clearance,  and,  as  in  the  case  of  clearance  at 
secrecy  levels,  the  principal  oracle  must  certify  that  the  principal  actually  needs  the  clear¬ 
ance  (predicate  indi/needs-compartment  K  C ). 

admin  claims  ((indi/has-compartment  K  C) 

oracle  says  (indi/needs-compartment  K  C) 
compartment /has-sso  C  S, 

S  says  (indi/has-compartment  K  C), 
indi/has-comp-level  K  C, 
indi/has-comp-background  K  C, 
indi/has-comp-polygraph  K  C). 

Finally,  the  following  two  rules  define  a  related,  useful  predicate 
indi/has-compartment/list  K  CL  which  means  that  K  is  cleared  into  all  compartments 
in  the  list  CL. 

admin  claims  (indi/has-compartment/list  K  nil). 

admin  claims  ((indi/has-compartment/list  K  ( C  \  CL))  :- 

indi/has-compartment  K  C, 
indi/has-compartment/list  K  CL). 

8.3.3  Summary  of  Individual  Clearances 

We  close  this  section  with  a  summary  of  credentials  needed  to  give  various  clearances  to  an 
individual  K . 

•  Credentials  to  establish  polygraph  clearance 

—  A  polygraph  administrator  PA  must  issue  the  credential 
PA  claims  (indi/has-polygraph  K) 

•  Credentials  to  certify  background  check  at  level  L 

—  If  L  is  confidential  or  secret,  then  a  background  administrator  BA  must  issue  the 
credential  BA  claims  (indi/has-naclc  K  T).  The  check  is  valid  for  15  years 
after  T  if  L  =  confidential  and  for  10  years  after  T  if  L  =  secret. 

—  If  L  is  topsecret,  then  a  background  administrator  BA  must  issue  the  credential 
BA  claims  (indi/has-ssbi  K  T).  The  check  is  valid  for  5  years  after  T. 

•  Credentials  to  determine  citizenship  of  country  U 

—  oracle  must  issue  the  credential  oracle  claims  (indi/has-citizenship  K  U). 

•  Credentials  for  secrecy  clearance  at  level  L 
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—  oracle  must  issue  the  credential  oracle  claims  (indi/needs-level  K  L ) 

—  Credentials  to  certify  background  check  at  level  L  or  higher  as  determined  by 
the  second  point  above. 

•  Credentials  for  clearance  into  compartment  C  established  with  the  predicate 
compartment/is  C  L  L'  B 

—  oracle  must  issue  the  credential  oracle  claims  (indi/needs-compartment  K  C ). 

—  The  SSO  S  of  C  must  issue  the  credential  S  claims  (indi/has-compartment  K  C). 

—  Credentials  for  secrecy  clearance  at  level  L  or  higher  as  determined  by  the  fourth 
point  above. 

—  Credentials  to  certify  background  check  at  level  L'  or  higher  as  determined  by 
the  second  point  above. 

—  Credentials  to  establish  polygraph  clearance  if  B  =  yes  as  determined  by  the  first 
point  above. 


8.4  Clearances  to  Classified  Files 

In  §8.1.3  we  introduced  the  predicate  indi/has-clearances/f  ile  I\  F,  which  means  that 
principal  K  has  enough  clearance  to  read  classified  file  F.  Building  on  other  predicates 
defined  in  §8.2  and  §8.3,  we  now  provide  rules  that  define  this  critical  predicate. 

First,  we  define  three  auxiliary  predicates  using  the  fairly  straightforward  rules  be¬ 
low:  (a)  indi/has-level/f  ile  K  F.  which  means  that  principal  K  has  clearance  at  a 
secrecy  level  higher  than  that  of  file  F,  (b)  indi/has-comps/f  ile  K  F,  which  means 
that  principal  K  is  cleared  into  all  compartments  that  F  is  associated  with,  and  (c) 
indi/has-cit/f  ile  I\  F ,  which  means  that  principal  K  is  a  citizen  of  at  least  one  country 
in  the  citizenship  requirements  of  F. 

admin  claims  ((indi/has-level/f  ile  K  F)  :- 

f ile/has-level  F  L, 
indi/has-level  K  L' , 
level/below  L  L'). 

admin  claims  ((indi/has-comps/f  ile  K  F)  :- 

f ile/has-compartments  F  CL, 
indi/has-compartment/list  K  CL). 
admin  claims  ((indi/has-cit/f  ile  K  F )  :- 

f  ile/has-citizenship  F  UL, 
indi/has-citizenship/list  K  UL). 
admin  claims  ((indi/has-cit/f ile  K  F) 

indi/has-citizenship  K  usa). 

The  last  rule  means  that  any  U.S.  citizen  satisfies  the  citizenship  requirement  for  reading 
a  file,  irrespective  of  the  latter’s  actual  citizenship  requirements.  The  following  rule  defines 
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the  predicate  indi/has-clearances/f  ile  I\  F  using  these  three  predicates. 

admin  claims  ((indi/has-clearances/f  ile  K  F ) 

indi/has-level/f ile  K  F, 
indi/has-comps/f ile  K  F, 
indi/has-cit/f  ile  K  F). 


8.5  Summary 

The  case  study  presented  in  this  chapter  validates  the  expressiveness  of  the  logic  BL  as 
a  framework  for  expressing  authorization  policies,  and  highlights  many  of  its  important 
aspects.  The  policies  presented  in  this  chapter  can  be  enforced  directly  in  the  file  system 
PCFS.  We  conclude  this  chapter  with  some  salient  observations  about  the  case  study. 

First,  the  case  study  exercises  a  novel  feature  of  BL  -  interpreted  predicates  for  rep¬ 
resenting  system  state.  The  state  of  a  sensitive  file  (default,  working  paper,  classified,  or 
declassified)  is  represented  as  an  extended  attribute  on  the  file,  which  is  tested  in  the  logic 
through  the  interpreted  predicate  has  xattr  F  A  V  in  various  policy  rules  that  allow 
access  to  files  (§8.1.3).  As  discussed  in  §8.1.2,  the  PCFS  requirement  that  a  special  permis¬ 
sion  govern,  distinct  from  write,  be  obtained  in  order  to  modify  extended  attributes  helps 
preserve  the  integrity  of  file  states  (see  §7.2.1  for  a  description  of  PCFS  permissions). 

Second,  the  case  study  relies  on  BL’s  support  for  explicit  time  not  only  to  model  time- 
bounded  certificates,  but  also  to  limit  the  temporal  validities  of  conclusions  based  on  time 
points  present  in  extended  attributes  and  credentials.  Examples  of  the  latter  use  of  explicit 
time  are  the  90-day  rule  for  working  papers  from  §8.1.3  and  the  5,  10,  and  15  year  rules 
for  expiration  of  background  checks  from  §8.3.1.  The  illustration  at  the  end  of  §8.3.1  also 
shows  that  care  must  be  taken  when  scoping  the  @  connective  in  policies.  Seemingly  obvious 
representations  of  policies  with  the  @  connective  may  not  always  be  correct. 

Besides  the  dynamic  features  of  BL,  namely,  interpreted  predicates  and  explicit  time, 
several  policy  rules  presented  in  this  chapter  illustrate  exclusive  delegation  (§3.1.2).  One 
example  of  exclusive  delegation  was  pointed  out  in  §8.2.3;  the  motif  recurs  in  several  other 
rules  as  well.  As  mentioned  at  the  beginning  of  §3,  being  able  to  represent  exclusive  dele¬ 
gation  is  the  main  reason  for  the  use  of  a  new  authorization  logic  BL  in  this  thesis. 

Finally,  based  on  the  fact  that  BL  is  able  to  express  the  reasonably  complex  policies 
for  access  to  sensitive  information,  we  may  expect  that  policies  for  information  sharing  in 
other  organizations  (and  among  them)  can  also  be  expressed  in  BL  and  enforced  in  PCFS 
in  a  similar  manner. 


8.6  List  of  Predicates  Used  in  the  Formalization 

The  following  table  lists  all  predicates  used  in  this  chapter,  the  sections  of  the  chapter  in 
which  they  are  described,  and  their  intuitive  meanings. 
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Predicate 

Section 

Meaning 

compartment /has-scg  C  SCG 

§8.2.2 

SCG  is  compartment  C’s  security  classifi¬ 
cation  guide 

compartment /has-sso  C  S 

§8.2.2 

S  is  compartment  C’s  special  security  of¬ 
ficer  (SSO) 

compartment/is  C  L  L'  B 

§8.2.2 

C  is  a  compartment,  clearance  into  which 
requires  secrecy  clearance  at  level  L,  back¬ 
ground  check  at  level  L\  and  a  polygraph 
test  if  B  =  yes. 

f ile/has-citizenship  F  UL 

§8.2.3 

Read  access  to  file  F  is  restricted  to  citi¬ 
zens  of  countries  in  the  list  U L  (and  of  the 
U.S.) 

f  ile/has-citizenship/h  F  UL  CL 

§8.2.3 

The  SSOs  of  all  compartments  in  the  list 
CL  certify  that  read  access  to  F  should 
be  restricted  to  citizens  of  countries  in  the 
list  UL  (and  of  the  U.S.) 

f  ile/has-citizenship/scg  F  UL  SCG 

§8.2.3 

It  is  conformant  with  SCG  that  read  ac¬ 
cess  to  file  F  be  restricted  to  citizens  of 
countries  in  the  list  UL  (and  of  the  U.S.) 

f  ile/has-compartments  F  CL 

§8.2.3 

File  F  is  associated  with  all  compartments 
in  the  list  CL 

f  ile/has-compartments/h  F  CL  CL' 

§8.2.3 

The  SSOs  of  all  compartments  in  the  list 
CL'  certify  that  is  okay  to  associate  file  F 
with  all  compartments  in  the  list  CL 

f  ile/has-level  F  L 

§8.2.3 

File  F  has  secrecy  level  L 

f  ile/has-level/h  F  L  CL 

§8.2.3 

The  SSOs  of  all  compartments  in  the  list 
CL  certify  that  is  okay  to  give  file  F  se¬ 
crecy  level  L 

f  ile/has-level/scg  F  L  SCG 

§8.2.3 

It  is  conformant  with  SCG  that  file  F  have 
secrecy  level  L 

has  xattr  F  A  V 

§8.1.1 

The  extended  attribute  named  A  on  file  F 
is  set  to  value  V 

indi/has-background  K  L 

§8.3.1 

Principal  K  has  a  background  check  which 
is  mandatory  for  clearance  at  secrecy  level 

T 

indi/has-citizenship  K  U 

§8.3.2 

Principal  K  is  a  citizen  of  country  U 

indi/has-citizenship/list  K  UL 

§8.3.2 

Principal  K  is  a  citizen  of  at  least  one  of 
the  countries  in  the  list  UL 

indi/has-cit/f ile  K  F 

coo 

00 

Principal  K  has  the  citizenship  of  one  of 
the  countries  associated  with  file  F  (or  of 
the  U.S.) 

indi/has-clearances/f ile  K  F 

00 

coo 

Principal  K  has  enough  security  clear¬ 
ances  to  read  classified  file  F 

indi/has-compartment  K  C 

§8.3.2 

Principal  K  is  cleared  into  compart¬ 
ment  C 

indi/has-compartment/list  K  CL 

§8.3.2 

Principal  K  is  cleared  into  all  compart¬ 
ments  in  the  list  CL 
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indi/has-comp-background  K  C 

§8.3.2 

Principal  K  has  passed  a  background 
check  sufficient  for  clearance  into  compart¬ 
ment  C 

indi/has-comp-level  I\  C 

§8.3.2 

Principal  K  has  secrecy  clearance  at  a 
level  higher  than  that  needed  for  clearance 
into  compartment  C 

indi/has-comp-polygraph  K  C 

§8.3.2 

If  clearance  into  compartment  C  requires 
a  polygraph  test,  then  principal  K  has 
passed  one 

indi/has-comps/f  ile  K  F 

coo 

00 

Principal  K  is  cleared  into  all  compart¬ 
ments  associated  with  file  F 

indi/has-level  K  L 

§8.3.2 

Principal  K  is  cleared  at  secrecy  level  L 

indi/has-level/f ile  K  F 

§8.4 

Principal  K  has  secrecy  clearance  at  a 
level  equal  to  or  above  that  of  file  F 

indi/has-naclc  K  T 

§8.3.1 

Principal  K  passed  an  NACLC  at  time  T 

indi/has-polygraph  K 

§8.3.1 

Principal  K  passed  a  polygraph  test 

indi/has-ssbi  K  T 

§8.3.1 

Principal  K  passed  an  SSBI  at  time  T 

indi/is-associated  I\  F 

§8.1.3 

File  F  may  potentially  have  incriminating 
evidence  against  principal  I\ 

indi/is-background-admin  BA 

§8.3.1 

Principal  BA  is  certified  to  check  others’ 
backgrounds 

indi/is-ci  K  K' 

§8.1.3 

Principal  K  is  a  counterintelligence  officer 
who  is  investigating  principal  K' 

indi/is-oca  0 

§8.2.1 

Principal  O  is  an  Original  Classification 
Authority  (OCA) 

indi/is-polygraph-admin  PA 

§8.3.1 

Principal  PA  is  certified  to  administer 
polygraph  tests  on  others 

indi/needs-compartment  K  C 

§8.3.2 

Principal  K  needs  clearance  into  compart¬ 
ment  C 

indi/needs-level  K  L 

§8.3.2 

Principal  K  needs  clearance  at  secrecy 
level  L 

level/below  L  L' 

§8.3.2 

Secrecy  level  L  is  below  L'  (confidential  < 
secret  <  topsecret) 

may  K  F  P 

§8.1.3 

Principal  K  has  permission  P  on  file  F 

owner  F  K 

§8.1.3 

File  F  is  owned  by  principal  K 
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Chapter  9 

BLl:  A  Linear  Extension  of  BL 


This  chapter  presents  BL  ,  an  extension  of  BL  based  on  ideas  from  linear  logic  [71].  As  in 
linear  logic,  there  are  special  kinds  of  hypotheses  called  resources  or  linear  hypotheses  in 
hypothetical  judgments  of  BLl  that,  unlike  ordinary  hypotheses,  do  not  admit  contraction 
and  weakening  (Theorem  4.8).  Consequently,  every  resource  assumed  in  a  proof  must  be 
used  in  the  proof  exactly  once.1  Resources  are  an  appropriate  way  to  model  consumable 
credentials ,  i.e.  assumptions  in  an  authorization  policy  that  can  be  used  a  stipulated  number 
of  times  only.  Such  assumptions  are  useful  in  practice,  e.g.,  a  pay-per-view  website  may 
want  to  give  a  user  a  credential  that  allows  her  access  to  a  movie  only  once  in  return  for 
a  fixed  amount  of  money.  Using  linear  hypotheses,  which  we  denote  with  the  letter  A, 
consumable  credentials  can  be  modeled  and  enforced  through  proof-carrying  authorization 
(without  procaps)  as  follows.2 

1.  Certificates  establishing  consumable  hypotheses  are  distinguishably  marked  by  their 
creators.  In  a  logical  proof  consumable  credentials  are  reflected  in  the  linear  hypothe¬ 
ses  A,  not  the  ordinary  hypotheses  T.  Each  consumable  hypothesis  is  replicated  in  A 
as  many  times  as  it  is  needed  in  the  proof. 

2.  By  counting  the  number  of  occurrences  of  each  consumable  credential  in  the  linear 
hypotheses  of  each  proof  it  verifies,  the  proof  verifier  embedded  in  the  reference  mon¬ 
itor  tracks  the  number  of  times  each  consumable  credential  has  been  used  over  time. 
Assuming  that  the  maximum  number  of  times  each  consumable  credential  may  be 
used  is  known  to  the  proof  verifier,  a  proof  that  relies  on  more  uses  of  any  consumable 
credential  than  are  still  left  is  immediately  rejected. 

Linearity  plays  a  crucial  role  in  this  enforcement  mechanism  in  two  related  ways.  First, 
it  ensures  that  consumable  credentials  are  not  used  in  a  proof  more  than  the  number  of 

Tt  is  important  to  explain  how  we  count  “uses”  of  a  hypothesis.  In  the  so  called  multiplicative-exponential 
fragment  of  linear  logic,  it  is  appropriate  to  say  that  a  hypothesis  is  used  n  times  in  a  sequent  calculus  proof 
if  it  appears  n  times  as  the  principal  judgment  in  either  left  rules  or  the  rule  (init).  However,  we  have  to  be 
careful  when  additive  connectives  are  included,  as  explained  at  the  end  of  §9.1.1. 

2  These  observations  were  first  made  in  joint  work  of  the  author  and  others  [66]  and  independently  by 
Cederquist  et  al.  in  the  setting  of  auditing  traces  for  access  violations  [37]. 
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times  made  explicit  in  the  hypotheses;  this  is  a  consequence  of  a  lack  of  contraction  in 
linear  hypotheses.  Dually,  it  ensures  that  each  consumable  credential  mentioned  in  the 
linear  hypotheses  is  actually  used  in  the  proof  the  number  of  times  it  is  mentioned;  this 
is  a  consequence  of  the  absence  of  weakening  in  linear  hypotheses.3  Together,  these  two 
observations  imply  that  the  proof  verifier  is  able  to  accurately  track  the  number  of  uses  of 
each  consumable  credential  in  step  (2)  above.  In  the  PCFS  architecture,  this  enforcement 
mechanism  has  to  be  modified  since  the  use  of  consumable  credentials  in  it  should  be  tracked 
by  the  back  end,  not  by  the  proof  verifier.  Procaps  can  be  used  to  carry  information  about 
consumable  credentials  used  in  a  proof  from  the  proof  verifier  to  the  back  end,  as  described 
in  §9.3. 

In  addition,  linearity  can  be  used  to  model  state,  as  well  as  transitions  between  state,  or 
real  expendable  resources  like  money,  all  of  which  may  be  relevant  for  expressing  authoriza¬ 
tion  policies  in  some  cases  [54,  66].  The  merit  of  modeling  state  using  linearity  (as  opposed 
to  interpreted  predicates)  is  that  rules  for  modifying  the  state  can  also  be  expressed  and 
reasoned  about  within  the  logic.  The  disadvantage  is  that  any  rule  that  tries  to  only  read 
the  state  must  consume  the  linear  hypothesis  that  represents  the  state,  and  then  regenerate 
it.  This  is  awkward  in  some  cases,  so  in  BLl  we  allow  both  linearity  as  well  as  interpreted 
predicates,  leaving  it  up  to  system  designers  to  use  whichever  one  of  the  two  suits  the 
situation  better. 

Keeping  in  mind  these  uses  of  linearity,  the  primary  objective  of  this  chapter  is  to  present 
BL’s  linear  extension  BLl,  its  proof  theory,  and  some  of  its  metatheoretic  properties  (§9.1). 
To  prevent  repetition  of  concepts  from  earlier  chapters,  we  limit  our  discussion  of  proof 
theory  to  a  sequent  calculus  for  BLl  even  though  a  natural  deduction  system  for  BLl  can 
also  be  constructed.  The  presentation  of  the  sequent  calculus  derives  from  a  judgmental 
presentation  of  intuitionistic  linear  logic  due  to  Chang  et  al.  [39],  and  more  directly  from 
prior  joint  work  of  the  author  in  the  context  of  authorization  [54,  66].  The  chapter  also 
presents  simple  examples  of  the  use  of  linearity  to  model  consumable  credentials  (§9.2). 
These  examples  are  only  illustrations  to  explain  the  expressiveness  added  by  linearity  in  the 
context  of  authorization;  larger  examples  may  be  found  in  prior  work  on  the  subject  [54,  66] . 
Finally,  the  chapter  proposes  a  method  of  enforcement  of  consumable  credentials  in  the 
PCFS  architecture  that  relies  on  proofs  in  BLl  as  well  as  procaps  (§9.3). 


9.1  Syntax,  Sequent  Calculus,  and  Metatheory 

We  present  the  judgments  of  BLl  and  the  relations  between  them  first,  and  then  describe 
the  structure  of  formulas.  Rules  of  the  sequent  calculus  and  its  metatheory  are  postponed 
to  §9.1.1  and  §9.1.2,  respectively.  The  proof  theory  of  BLl  (in  particular  its  sequent  calcu¬ 
lus)  relies  on  four  distinct  basic  judgments,  two  of  which  -so  [u±,  U2]  and  k  claims  s  o  [111,112] 
-  were  already  present  in  BL  (§4.2).  We  list  below  all  four  judgments,  together  with  their 
intuitive  meanings. 

3Readers  familiar  with  linear  logic  may  be  aware  that  the  additive  connectives  T  and  0  may  cause 
weakening  to  become  admissible  in  certain  cases.  To  avoid  such  problems  we  disallow  these  two  connectives 
in  BLl,  as  should  become  clear  in  §9.1. 
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-  so  [m ,  U2 ]  ■  Formula  s  holds  throughout  the  interval  [u\ ,  m2] ,  and  this  fact  may  be 
used  any  number  of  times  (possibly  never). 

-  s  *  [ui,w2]:  Formula  s  holds  throughout  the  interval  [ui,ti2],  and  this  fact  must  be 
used  once. 


-  k  claims  s  o  [111,112]:  Principal  k  claims  throughout  the  interval  [tti,tt2]  that  formula 
s  holds,  and  this  fact  may  be  used  any  number  of  times  (possibly  never). 

-  k  claims  s  *  [111,112]:  Principal  k  claims  throughout  the  interval  [tii,tt2]  that  formula 
s  holds,  and  this  fact  must  be  used  once. 

The  judgments  containing  -k,  which  we  read  as  “in”,  are  linear.  As  their  descriptions  suggest, 
they  correspond  to  resources,  which  if  assumed  in  a  proof  must  be  used  exactly  once  in  it. 
(Such  judgments  may  be  replicated  in  the  linear  hypotheses  if  they  have  to  be  used  multiple 
times.)  Hypotheses  in  BLl  are  of  two  types,  unrestricted  T  which  contain  assumptions  of  the 
forms  s  o  [tq,  tt2]  and  k  claims  s  o  [zti,  z/2] ,  and  linear  A  which  are  comprised  of  assumptions 
of  the  forms  s  k  [«i,w2]  and  k  claims  s  k  [ui,ii2].  Sequents  contain  both  unrestricted  and 
linear  hypotheses,  as  in  the  grammar  below.  The  conclusion  of  a  sequent  is  always  of  the 
form  s  k  [ui,rt2]  because  hypothetical  judgments  with  other  conclusions  can  be  defined  as 
explained  later. 


Basic  Judgments  J 

Unrestricted  Hypotheses  T 
Linear  Hypotheses  A 

Sequents 


so  [m,  u2]  |  k  claims  s  o  [«i,  rt2]  | 
s  k  [m,  U2]  |  k  claims  s  k  [u\,  tt2] 

•  |  r,  s  o  [tti,  u2]  |  T,  k  claims  so  [m,  it2] 

•  |  A,  s  k  [iti,  U2]  |  A,  k  claims  s  *  [tq,  rt2] 
E;  E;  T;  A  A  s  k  [ui,u2] 


Basic  reasoning  principles.  The  sequent  form  E;  llf;  F;  T;  A  JL  s  k  [tq,tt2]  expresses 
that  the  basic  judgment  s  *  [iti,it2]  follows  from  the  assumptions  E;  'L;F,;T;  A.  But  what 
about  conclusions  of  the  forms  s  o  [«i,u2],  k  claims  s  k  [tti,u2],  and  k  claims  s  o  [tq,tt2]? 
Hypothetical  reasoning  for  these  forms  of  conclusions  can  be  defined,  as  manifest  in  the 
following  three  principles.1  T|  and  A|  denote  the  restrictions  of  the  hypotheses  T  and  A  to 
assumptions  of  the  forms  k  claims  s  o  [rti,rt2]  and  k  claims  s  k  [ui,rt2],  respectively. 

T|  =  {(k  claims  s  o  [«i,ri2])  G  T} 

A|  =  {(k  claims  s  k  [u\,  ri2])  G  A} 

Time-unrestricted  principle,  s  o  [u\,uo\  follows  from  the  assumptions  E;  E;  T;  A 
in  view  v  if  A  =  •  and  E;  \H;  E]  T;  •  —>  s  k  [ni,  u2]. 

4It  should  be  noted  that  these  reasoning  principles  are  not  explicit  rules  in  the  sequent  calculus,  but 
are  admissible.  Allowing  these  rules  as  explicit  rules  complicates  the  proof  of  admissibility  of  cut,  and 
corresponding  rules  in  the  natural  deduction  system  for  BLl  (which  we  have  not  presented  here)  make  it 
difficult,  if  not  impossible,  to  characterize  canonical  proofs. 
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The  principle  requires  A  to  be  empty  because  so  [u  i ,  rt2]  is  a  conclusion  that  may  be 
used  any  number  of  times,  and  hence  it  does  not  follow  directly  from  s  *  [ui,U2\  if 
the  proof  of  the  latter  depends  on  linear  hypotheses. 

Claim-linear  principle,  k  claims  s  *  [111,112]  follows  from  the  assumptions  E;\k;F; 
T;  A  in  any  view  v  if  A  =  A|  and  E;  \k;  E\  T| ;  A|  k:Ul.,u.2 >  s  *  [U{ ,  ^2], 

The  principle  means  that,  as  for  BL,  a  direct  proof  of  k  claims  s  *  \u\,u^[  should  not 
depend  on  any  assumptions  that  do  not  have  the  prefix  k  claims  •.  Further,  to  track 
linear  hypotheses  correctly,  we  also  require  that  A  =  A|. 

Claim-unrestricted  principle,  k  claims  s  o  [111,112]  follows  from  the  assumptions 
E;  'L;  E\  T;  A  in  any  view  v  if  A  =  •  and  S;  \H;  E\  T|;  •  k:Ul'u.2>  s  ^ 

Again,  a  direct  proof  of  k  claims  s  o  [111,112]  should  not  depend  on  any  assumptions 
that  do  not  have  the  prefix  k  claims  •.  Further,  since  k  claims  s  is  a  conclusion  that 
may  be  used  any  number  of  times,  it  must  not  depend  on  linear  hypotheses,  so  A 
must  be  empty. 

In  addition  to  these  principles,  reasoning  in  BLl  also  relies  on  analogues  of  the  time 
subsumption  and  the  view  principle  from  §4.2.2,  which  we  do  not  state  explicitly. 


Formulas.  The  syntax  of  BLl  formulas  r,  s  is  shown  below.  We  allow  most  connectives  of 
intuitionistic  linear  logic,  the  excluded  connectives  being  T  and  0.  These  two  connectives  are 
not  included  because  by  writing  these  connectives  in  policies  weakening  may  be  admitted, 
which,  as  explained  in  the  opening  of  this  chapter,  is  undesirable  for  modeling  consumable 
credentials.  As  is  standard  in  linear  logic,  r  (g>  s  means  that  available  resources  entail  r 
and  s  simultaneously;  1  represents  absence  of  any  resources;  r  &  s  means  that  available 
resources  suffice  to  prove  either  r  or  s,  but  not  both;  r  ©  s  means  that  available  resources 
prove  either  r  or  s,  but  it  is  not  known  which;  r  — °  s  means  that  resource  r  can  be  converted 
to  resource  s;  and  Is  means  that  s  holds  without  restrictions  on  the  number  of  times  it  may 
be  used.  The  new  connective,  k  once  s,  is  the  linear  form  of  k  says  s. 

Formulas  r,  s  ::=  p|i|c|r<8)s|l|r&:s|r®s|r— °s|  !s| 

Vx:cr.s  |  3x:cr.s  |  k  says  s  |  k  once  s  |  s  @  [111,112] 


Judgments  internalized  as  formulas.  As  in  BL,  all  forms  of  basic  judgments  in  BLl 
may  be  internalized  into  the  syntax  of  formulas.  Formulas  that  internalize  each  form  of  basic 
judgment  are  listed  in  Figure  9.1.  Also  listed  in  the  figure  are  other  judgments  that  are 
equivalent  to  the  basic  judgments.  We  use  these  equivalences  to  justify  some  of  the  inference 
rules  later.  The  salient  observation  here  is  that  of  the  four  basic  judgments,  only  s  *  [u\,  zt2] 
is  internalized  by  a  single  connective;  all  others  are  internalized  as  the  composition  of  two 
connectives. 
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Basic  judgment 

Internalized  as  the  formula  . . . 

Other  equivalent  judgment(s) 

s  -k  [ui,u2] 

S  @  [U\,U2] 

None 

s  0  [ui,u2] 

(Is)  @  [ui,u2\ 

(Is)  *  [ui,u2] 

k  claims  s  *  [rq,  u2] 

( k  once  s)  @  [iq,  112] 

( k  once  s)  *  [tq,  u2] 

k  claims  s  0  [iq,  zt2] 

( k  says  s)  @  [^1,^2] 

( k  says  s)  *  [rq,  u2] 

Figure  9.1:  Basic  judgments  of  BLl  and  their  internalization  as  formulas 


9.1.1  Rules  of  the  Sequent  Calculus 

Next  we  describe  the  rules  of  the  sequent  calculus  for  BL.  We  start  with  some  basic  rules 
that  relate  the  various  judgments,  and  then  proceed  to  explain  the  left  and  right  rules  for 
each  connective.  All  rules  are  summarized  in  Figures  9.2  and  9.3. 


Rules  relating  basic  judgments.  The  rule  (init)  below  allows  a  conclusion  of  p  *  [u\,  u2] 
from  the  linear  hypothesis  p  *  [u!x ,  u'2\ ,  if  u\  <  u\  and  u2  <  vl2  .  Observe  that  no  other 
linear  hypotheses  must  be  present,  which  enforces  strict  use  of  the  latter.  As  in  the  rule’s 
homonym  from  §4.2.4,  the  conditions  u\  <  u\  and  u2  <  u2  account  for  subsumption  over 
time  intervals.  Theorem  9.6  shows  that  the  generalization  of  this  rule  to  arbitrary  formulas 
(in  place  of  uninterpreted  atoms  p )  is  admissible  in  BLl. 

E;  T  |=  u[  <  U\  E;  T  \=  u2  <  u'2 
- v - init 

E^AjOp*  [u'i,u2]  —>P*  [ui,u2] 

The  next  rule,  (copy),  allows  an  unrestricted  hypothesis  s  o  [ui,u2]  to  be  copied  into 
the  linear  hypotheses  as  s  *  [rq ,  U2]  ■  Since  this  rule  may  be  applied  repeatedly  to  any 
unrestricted  hypothesis,  unrestricted  hypotheses  may  be  used  any  number  of  times  in  a 
proof. 

E;  T;  E;T,  s  o  [tq,it2];  A,  s  *  [u\,u2]  24  r  *  [u\,  u'2] 
- v - copy 

E;4;L;r,so  [ui,  u2];  A  — ♦  r  ★  [ui,u2] 

The  next  two  rules,  (claims)  and  (lclaims)  are  BLl  analogues  of  the  BL  rule  (claims)  for 
unrestricted  hypotheses  and  linear  hypotheses  respectively.  In  the  case  of  rule  (lclaims), 
the  principal  judgment  k  claims  s  *  [111,112]  is  not  retained  in  the  premise,  which  enforces 
its  strict  one-time  use. 


E;  W;  E;  r,  k  claims  s  o  [rq,  u2 J; 


L  J-  7  — i  J 


v  =  k! ,  Ub ,  ue  E;  d'  |=  ui  <  Ub  E ;  T  (=  ue  <  u2  E;  T  (=  k  y  k 
E;  T;  E\  T,  k  claims  s  o  [ui,u2\,  A  —>  r  *  [rtj,  u'2] 


-claims 


E;  T;  E]  T;  A,  s  *  [u\,  u2\  r  *  [tq,  u'2] 
v  =  k! ,  Ub,  ue  E;  4'  |=  ux  <  Ub  E;  T  |=  ue  <  u2  E;  T  |=  k  y  k' 

E;  T;  E;  T;  A,  k  claims  s  *  [u\,  u2]  24  r  * 


lclaims 
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Connectives  !,  k  says  s,  and  k  once  s.  Rules  for  the  connectives  !,  k  says  s,  and  k  once  s 
follow  a  similar  template.  The  right  rules  for  these  connectives  are  based  on  the  principles 
(time- unrestricted),  (claim- unrestricted),  and  (claim-linear),  respectively.  For  instance,  the 
right  rule  for  !  (shown  below)  states  that  if  E;  \h;  E;  T;  •  A  s  *  [«i,  W2],  then  E;  \h;  E;  T;  •  A 
(!s)  *  [tti ,  U2] ■  This  follows  immediately  from  the  principle  (time-unrestricted)  and  the 
equivalence  of  the  two  judgments  (!s)  *  [ui,«2]  and  s  o  [rti,rt2]  (Figure  9.1).  The  right 
rules  of  k  says  s  and  k  once  s  are  similarly  justified.  The  left  rules  for  the  connectives  are 
straightforward:  they  replace  the  principal  judgment  in  the  conclusion  by  an  equivalent 
judgment  in  the  premise. 


S;T;F;r;-  s*  [«i,u2] 
- ,, - !R 

E;  T;  E]  T;  •  — >  !s  *  [ui,u2] 


S;T;F;r,a  o  [m!,u2];A  r  ★  [wj,^] 
E;  T;  E;  T;  A,  Is  *  [zq,  u2]  r  *  [u^u^] 


^'f;E-T\--^^sk[u1,u2} 
E;  T;  A;  T;  •  A+  k  says  s  *  [tq ,u2) 


saysR 


E;  T;  A;  T,  k  claims  s  o  [tq,  u2]\  A  A*  r  *  [u^u^] 
E;  T ;  E;  T;  A,  k  says  s  *  [tq  ,u2]  r  *  [u^ ,  u2] 


saysL 


E;^;£?;r|;A|  a  *  [Ul,«2] 

- - - onceR 

S;  T;  E;  T;  A|  — *  k  once  s  *  [tq,  u2\ 


E;  T;  E;  T;  A,  k  claims  s  *  [tq,  u2]  A*  r  *  [u'x,  u2] 
E;  T;  E-,  T;  A,  k  once  s  *  [tq ,u2]  A+  r  *  [t/1?  u2\ 


onceL 


It  should  again  be  noted  that  the  principal  judgments  in  the  left  rules  are  not  retained  in 
the  premises  to  enforce  linearity  correctly.  The  same  pattern  repeats  in  the  left  rules  of  all 
connectives  below.  Another  salient  observation  is  that  left  rules  for  connectives  apply  only 
to  judgments  of  the  form  s  *  [?/i,  t/2]  -  Other  judgments  in  hypotheses  can  be  analyzed  in 
the  sequent  calculus  only  by  promoting  them  to  judgments  of  this  form  through  the  rules 
(copy),  (claims),  and  (lclaims). 


The  connective  The  rules  for  the  @  connective  are  straightforward  and  follow  the 
corresponding  rules  in  BL. 


E;  T;  E;  T;  A  A+  s  *  [tq,  u2] 

E;  T;  E\  T;  A  A*  s  @  [tq,  u2]  *  [ttj,  u'2\ 


-@R 


E;  T;  E;  T;  A,  s  @  [u^,  u2]  *  [tq,  tt2],  s  *  [uj,  t4]  r  *  [u'{,  u2] 
E;  T;  E\  T;  A,  s  @  [u^,  u2]  *  [ui,u2]  A>  r  *  [u",  u2] 


@L 


Constraints  and  interpreted  predicates.  The  rules  for  constraints  and  interpreted 
predicates  in  BLl  are  similar  to  those  in  BL.  The  only  important  point  is  that  in  the  right 
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rules,  we  require  that  the  linear  hypotheses  be  empty. 


S;  |=  c 


£;\H;E;r;-  — >  ck  [iti ,  rt2] 


-consR 


£;  'L,  c;  E;  T;  A  r  k  [iq ,  ix2] 

£;  'h;  E\  T;  A,  c  *  [iq,  it2]  r  k  [iq,  u'2] 


-consL 


£;£  R  * 

- - - interR 

£;  \I >;E;T;-  —>  ik  [iq,  u2\ 


£;  'L;  E,  i;  T;  A  —>  r  k  [iq,  ix2] 

£;  \H;  Em,  T;  A,  i  k  [iq,  ix2 ]  —>■  r  k  [tx^,  ix2] 


interL 


Conjunctions  ®  and  &.  In  linear  logic,  there  are  two  forms  of  conjunction  -  <8)  and 
&,  often  called  multiplicative  conjunction  and  additive  conjunction  respectively  [71].  The 
meaning  of  si  <g>  S2  *  [it  1,142]  is  that  the  available  hypotheses  simultaneously  entail  si  and 
S2  once  each  for  the  entire  interval  [ui,U2\.  Accordingly,  in  the  rule  (<8>R),  we  split  the 
available  linear  hypotheses  disjointly  into  Ai  and  A2,  and  use  them  to  establish  si  *  [iq,  U2] 
and  S2  *  [iti ,  1*2]  respectively.  Dually,  in  the  premise  of  the  left  rule,  we  introduce  both  s\ 
and  S2  simultaneously  in  the  linear  hypotheses. 


£;T;  A;T;  Ai Sl  *  [Ul)M2]  £;  T;  A;  T;  A2  s2  *  [tq,  u2\ 

- v - ®R 

£;  T ;  E;  T;  A1 ,  A2  — +  Si  ®  s2  *  [tq ,  u2] 

k  [iq,ix2],s2  *  [ui,u2]  r*  [wj,^]  T 

- v - <8>L 

£;  E\  T;  A,  si  ®  s2  *  [iq,  u2]  — >  r  *  [u[,  u'2] 

On  the  other  hand,  si  &  S2  k  [iq,  it2]  means  that  the  entire  hypotheses  may  be  used  to 
establish  si  once  throughout  the  interval  [111,1x2],  and  also  s2  once  throughout  the  interval 
[til)  1x2]-  Consequently,  in  the  rule  (&R),  we  use  the  same  linear  hypotheses  to  establish 
both  si  *  [m,n2]  and  s2  *  [iti,ix2].  Dually,  there  are  two  left  rules;  one  allows  si  *  [zxi,ix2] 
to  be  assumed  given  the  hypothesis  si  &  -s2  *  [iq,  ix2],  whereas  the  other  allows  s2  *  [iq,  zx2] 
to  be  assumed  under  the  same  condition. 

T,;^;E;T;A  Si  *  [iq,u2]  £;  T;  A;  T;  A  ^  s2  k  [iq,xx2] 

- ,, - 

£;  T;  E\  T;  A  — »  Si  &  s2  k  [iq,  u2\ 

T,-,'fr,E-,T-,A,sik[ui,u2]^>rk[u,1,u2\ 

- - - cz  Li  1 

£;  W;  A;  T;  A,  si  &  s2  k  [iq,  «2]  — >  r  *  [iq,  u2\ 

T,;'i'-E-T;A,s2k[u1,u2}^rk[u[:u,2\ 

- — - CZ  L/2 

£;  A;  T;  A,  si  &  s2  k  [1x1,  u2]  — >  r  *  [tx^,  u'2] 

The  unit  of  the  multiplicative  conjunction,  1,  denotes  absence  of  resources.  Accordingly, 
it  can  be  established  as  a  conclusion  if  the  linear  hypotheses  are  empty  (rule  (1R)),  and  as 
an  assumption  it  may  be  removed  (rule  (1L) ) . 

- 7 - - — - 1JL / 

£;  T;  E;  T;  •  — >  1  k  [iq,  u2\  £;  T;  E;  T;  A,  1  *  [1x1,  it2]  — >  r  k  [u[,  tx2] 


195 


Chapter  9.  BLl:  A  Linear  Extension  of  BL 


The  unit  of  additive  conjunction,  called  T  in  linear  logic,  is  deliberately  excluded  from 
BLl.  To  understand  why  we  exclude  T,  let  us  look  at  the  right  rule  it  would  have  had, 
were  it  to  be  included. 


- y - TR 

E;  \k;  E;  T;  A  — >  T  *  [ui,  u2] 

The  problem  with  this  rule  is  that  it  consumes  arbitrary  linear  hypotheses  A.  Consequently, 
using  T,  it  is  possible  to  have  sequents  that  admit  weakening.  As  a  simple  example,  if 
E;  \k;  E;  T;  A  s  <S>  T,  then  for  any  A;,  it  is  also  the  case  that  E;  \k;  E;  T;  A,  A'  A-  s  <g>  T. 
Clearly,  in  this  case  usage  of  linear  hypotheses  is  not  precisely  accounted  for  by  the  logic. 
To  avoid  this  problem  we  do  not  include  T  in  BLl. 


Disjunction  ®.  The  judgment  si  ®  s2  *  means  that  one  of  si  *  [^1,^2]  and 

s 2  *  [tii,tt2]  holds  from  the  available  hypotheses,  but  it  may  not  be  known  precisely  which. 
®  is  the  analogue  of  disjunction  in  intuitionistic  linear  logic.5  It  has  two  right  rules,  which 
allow  si  ®  S2  *  [ui,U2\  to  be  established  from  si  *  [111,112]  and  S2  *  [111,112]  respectively.  In 
the  left  rule,  the  same  conclusion  must  be  established  from  either  disjunct,  since  it  is  not 
known  in  general  which  of  the  two  disjuncts  holds. 


E;  T;  A;  T;  A  si  *  [Ml,  u2] 


:©  Ri 


S;f;£;r;ALs2*  [111,112] 


E;\k;£7;r;A  — >  si  ®  s2  *  [111,112]  E;\k;I?;r;A  — >  si  ®  s2  *  [ui,u2] 

E;  T;  E;  T;  A,  si  *  [ui,ii2]  r  *  [u^iij]  E;  Ik;  E;  T;  A,  s2  ★  [ui,u2]  r  *  [u'l:u2] 

E;  T;  A;  T;  A,  si  ©  s2  *  [iii,  w2]  r  *  [uj,  u'2] 


©  R2 


©L 


The  unit  of  disjunction,  called  0  in  linear  logic,  is  not  included  in  BLl  because  like  T  it 
makes  accounting  of  resources  imprecise. 


Implication  — o.  In  intuitionistic  linear  logic  (without  explicit  time),  the  formula  r  — o  s 
means  that  the  linear  hypothesis  r  entails  s.  In  BLl,  the  meaning  of  — °  must  also  take 
into  account  time  intervals,  in  the  same  way  that  implication  does  in  BL,  resulting  in  the 
following  rules. 


E,  aqitime,  x2:time;  *k,  u\  <  Xi,  x2  <  u2;  E;  T;  A,  si  *  [xi,  x2]  — *  s2  *  [xi,  x2] 

- v - °R 

E;  T;  E\  T;  A  — >  si  — °  s2  *  [ui,  u2] 

E;^;A;r;Ai  A  Sl  *  [ui,u2] 

E;  T;  E ;  T;  A2,  s2  *  [11^,  u2]  —>  r  *  [u",  u2]  S;  >k  |=  rq  <  u'x  E;  T  \=  u'2  <  w2  ^ 

E;  vk;  A;  T;  A1;  A2,  Si  -°  s2  *  [ui,u2]  r  *  [u",u2] 

5  ©  is  often  called  additive  disjunction,  because  there  is  also  another  kind  of  disjunction  called  multi¬ 
plicative  disjunction  in  classical  linear  logic.  The  latter  is  hard  to  explain  intuitionistically,  and  is  therefore 
not  included  here  [39]. 
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Quantifiers  V  and  3.  The  rules  for  quantifiers  in  BLl  also  follow  their  counterparts  from 
BL. 

E,  x:cr,  T;  E;  T;  A  —>  s  *  [ui,u2]  E;  'L;  E]  T;  A,  s\t/x\  *  [iti,  M2]  —*  r  *  [t4,i4]  E  b  t  :  a 

- v - VR  - - - VL 

E;  T;  E;  T;  A  — >  Mx'.cr.s  *  [mi,  u2]  E;  T;  E;  T;  A,\/x:cr.s  *  [ui,  u2]  — >  r  *  [tq,  u2] 

E;  T;  E\  T;  A  -L*  s[t/x]  *  [ui,u2]  E  b  t  :  a  E,  x\a\  T;  E;  T;  A,  s  *  [ui,  u2 ]  r  *  [w^,  ?4] 

- jy - 3R  - — - 3L 

E;  'L;  E;  T;  A  — >  3x:cr.s  *  [ui,  112]  E;  'L;  E;  T;  A,  3x:cr.s  *  [m,  u2\  — *■  r  *  [?4,  iq] 


Derivable  and  admissible  properties.  The  rules  of  the  sequent  calculus  of  BLl  are 
summarized  in  Figures  9.2  and  9.3.  In  the  following  we  list  some  properties  that  explain  the 
interaction  of  @  with  the  other  connectives,  h  s  means  that  E;  \&;  E;  T;  •  s  *  [iq,  U2]  for 
every  E,  \b,  T,  v,  u\  and  u2,  whereas  1/  s  means  that  this  is  not  the  case,  si  =  s2  denotes 
(si  — o  s2)  &  (s2  — 0  si),  which  is  the  linear  analogue  of  logical  equivalence. 

1.  h  ((ui  <  *4)  ®  (u'2  <  u2))  {{s  @  [ui,u2])  {s  @  K,n'])) 

2.  h  ((si  ®  s2)  @  [ui,u2\)  =  ((si  @  [ui,u2])  ®  (s2  @  [ui,u2])) 

3.  h  ((si  &  s2)  @  [ui,u2])  =  ((si  @  [ui,u2])  &  (s2  @  [«i,«2])) 

4.  h  ((si  ©  s2)  @  [ui,u2])  =  ((si  @  [ui,u2])  0  (s2  @  [ui,u2])) 

5.  L  ((Vx:u.s)  @  [tii,  u2\)  =  (Vx:<7.(s  @  [iq,  w2]))  (x^u\,u2) 

6.  b  ((3x:cr.s)  @  [iq,  u2\)  =  (3x:cr.(s  @  [tq,  u2]))  (x  0  ?q,  it2) 

7.  b  1  @  [ui,u2] 

8.  b  ((si  — o  s2)  @  [iq,it2])  =  (Vxi:time.Vx2:time.  (((tq  <  xi)  ©>  (. x2  <  u2)  ©  (si  @ 
[xi,x2]))  -°  (s2  @  [xi,x2]))) 

9.  b  ((k  says  s )  @  [fq,u2])  — o  (. k  says  (s  @  [fq,u2])) 

10.  1/  (A:  says  (s  @  [rq,  it2]))  — °  {{k  says  s)  @  [ui,u2]) 

11.  b  ((s  @  [ui,u2])  @  K,n2])  =  (s  @  [iti, it2]) 

The  following  are  some  properties  of  the  connectives  !,  k  says  s,  and  k  once  s. 

1.  b  (k  says  s)  (k  once  s) 

2.  I /  (k  once  s)  — o  ( k  says  s) 

3.  b  (k  says  s)  (( k  once  (!s))  &  (l(k  once  s))) 

4.  1/  ((k  once  (!s))  &  (!(fc  once  s)))  (k  says  s) 
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E;  'F  |=  u\  <U\  E;  T  ^  w2  <  it2  . 
E;  >5;  E;T-p  *  [uj,u2]  ^  p*  [ui,u2] 


init 


E;  T;  E;T,  s  o  [m,  u2\;  A,  s  *  [ui,  u2]  ^  r  *  [wj,  w2] 
E;  \tr;  E;  f,  s  o  [«i ,  u2] ;  A  r  *  [it'i ,  u2] 


-copy 


E;  SB ;  E;  T,  k  claims  s  o  [ui,u2\;  A,  s  *  [wi,  u2]  r  *  [u\,  u2] 
v  =  k Ub,  ue  E;  'I'  [=  ui  <  Ub  E;  \F  f=  ue  <  u2  E;  5 !  \=  k  >z  k' 

E;  T;  E;  T,  k  claims  s  o  [it1;  ti2];  A-^r* 

E;  T;  E;  T;  A,  s  *  [ti!,  u2]  r  *  [ui,  it2] 
v  =  k! ,  Ub,  ue  E;  it  |=  U\  <  Ub  E;  T  [=  ue  <  u2  E;  \F  |=  k  y  k' 

E;  \I>;  E;  T;  A,  k  claims  s  ★  [u\,u2]  [«(,  u2] 


claims 


lclaims 


E;  T ;  E;  T;  •  ^  s  -k  [u\,u2] 
E;  \F;  E;  T;  •  !s  *  [u\,u2] 


!R 


E;  T ;  E\  T,  s  o  [u\ ,  u2] ;  A  A>  r  *  ;  u'2] 

E; T;  E;  T;  A,  !s  *  [tti,  it2]  — >  r  *  [i/i,^] 


!L 


S;^;E;r|;--^^>a*[ti1,ti2] 
E;  \F;  E;  T;  •  k  says  s  *  [tii,  u2] 


E;  T;  E;  T,  k  claims  s  o  [ui,u2];  A  — »  r  *  ,  u2] 

saysR  - - - — saysL 

E;  T;  E;  T;  A,  k  says  s  *  [iq ,  w2]  — >  r  *  [ti^ ,  it2] 


E;tf;E;r|;A|  -■ a  ★  [m,  ti2] 


E;  \F;  E;  T;  A|  — »  k  once  s  *  [tii,  u2] 


onceR 


E;  \F;  E;  T;  A,  k  claims  s  *  [tti,  u2\  r  *  [u'i,  u2] 
E;  SR ;  E;  T;  A,  k  once  s  *  [tzi,  it2]  r  *  [iq,^] 


onceL 


E;  T;  E;  T;  A  s  * 


-@R 


S;  SR ;  E;  T;  A  — >  s  @  [u\ ,  tt2]  *  [ti^ ,  u'2] 

E;  T;  E;  T;  A,  s  @  [tti,  it2]  *  [u\,  u2\,  s  *  [«i,«2]  r  *  [ti",  u2\ 
E;  T;  E;  T;  A,  s  @  [iti,  it2]  *  [ui,u2]  —>  r  *  [ti." ,  w2] 


@L 


E;  'f  t= 


E;  'L;  E;  T;  •  — >  c  *  [u\,u2\ 
E;E  |=  a 

E; E;T;  •  i  *  [til5ti2] 


-consR 


interR 


E;f,c;E;r;ALr*  [t^, ti2] 

E;  \R ;  E;  T;  A,  c  *  [tti,  u2]  — >  r  *  [tii,  tt2] 

E;$;E,i;F;ALr*  [tii,ti2] 

E;  'I' ;  E;  T;  A,  t  *  [tt! ,  tt2]  -L>  r  *  [tti ,  tt2] 


-consL 


interL 


Figure  9.2:  BLl:  Sequent  calculus,  part  1 


Counting  “uses”  of  a  linear  hypothesis.  Throughout  this  chapter,  we  have  used  the 
phrase  “use  of  a  linear  hypothesis”  without  an  explanation  of  its  precise  meaning.  Now  we 
explain  this  phrase.  In  the  absence  of  rules  for  &  and  ©,  it  is  easy  to  check  by  structural 
induction  on  proofs  that  if  a  resource  is  repeated  n  times  in  the  linear  hypotheses,  then  it 
will  appear  occur  exactly  n  times  as  the  principal  judgment  of  a  left  rule  or  the  rule  (init) 
in  the  proof.  Consequently,  in  the  absence  of  the  connectives  &  and  ©,  we  may  say  that  a 
linear  hypothesis  is  used  n  times  in  a  proof  if  it  appears  n  times  as  the  principal  judgment 
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OR 


E;'!';  A;T;  Ai  Sl  *  [ui,u2]  E;T;  E-T-  A2  s2  *  [«i,u2] 

E;  SIS;  E\  T;  Ai,  A2  Sl  ®  s2  *  [u\,u2] 

E;  T;  E;  T;  A,  si  *  [ui,  tt2l,  s2  *  [«i,  u2]  ■  r  *  w2] 

- v - ®L 

E;  SF;  E;  T;  A,  si  O  s2  *  [u\,u2]  — >  r  *  [u'i,  u2] 

E;$;£;r;A  ^r*K,<4] 


-1R 


E;  \R ;  E;  T;  •  — >  1  *  [iq,  w2]  E;  T;  E;  T;  A,  1  *  [iq,  it2]  — >  r  *  ,  u2] 

E;  T;  A1;  T;  A  si  *  [ui,u2]  E;  \1>;  T;  A  ©-*■  s2  *  [ui,u2] 


-1L 


E;  vF;  13;  T;  A  Si  &  s2  *  [Ul)  U2] 

E;  T ;  13;  T;  A,  Si  *  [ui ,  w2]  ■  r  *  [w'i ,  tt2] 

E;  T;  E\  T;  A,  si  &  s2  *  [ui,u2]  r  *  [«i,  u2] 

E;  T ;  13;  T;  A,  s2  *  [ui ,  w2]  ■  r  *  [*4 ,  it2] 

E;  \R ;  E\  T;  A,  si  &  s2  *  [iq,  it2]  r  *  [iq,  u2] 


-&R 


&Li 


&  L2 


E;  T;  13;  T;  A  si  *  [Ul)  U2] 


-©  Ri 


E;$;£;F;ALs2*  [u\,u2] 


E;'E,;£;r;AAs1®s2*[ulltJ2]  E;  T;  E;  T;  A  Si  ©  s2  *  [ui,u2] 

E; A;  T;  A,  si  *  [?q,  u2]  r  *  [h'i,  u2]  E; 'L;  13;  T;  A,  s2  *  [ui,u2]  r  *  [t/i,  u2] 

E;  T;  13;  T;  A,  si  ®  s2  *  [iq,  u2]  r  *  [i4,  it2] 

E,  aq:time,  a;2:time;  T,  rq  <  xi,x2  <  u2\  E\  T;  A,  Si  *  [aq,  x2]  —*  s2  *  [xi,x2] 


©  R2 


©L 


-At 


E;  >[';£;r;A->si-os2*  [ui , u2] 

E;  \R ;  13;  T;  Ai  —>  Si  *  [u^,  u'2} 

E;  \R ;  13;  T;  A2)  s2  *  [«i,  u'2\  —>  r  *  [t// ,  w2]  E;  'I'  |=  iq  <  E;  'I'  |=  u'2  <  u2 


E; A;  T;  Ai,  A2,  si  — °  s2  *  [tq,u2]  — >  r  *  [w",  u2] 


-°L 


E,  x:a;  SR ;  E\  T;  A  .  s  *  [ui,u2\ 
E;  SH;  13;  T;  A  ©>  \/x:a.s  *  [ui,u2] 


VR 


E;  SH;  13;  T;  A,  s[t/x]  *  [ui,u2]  —>  r  *  [iq,  u2\  Eh  t,  :  a 


E;  SR ;  13;  T-,  A,\/x:a.s  *  |/tq,u2]  —>  r  *  [u^,  u2] 


VL 


E;  SF;  13;  T;  A  s[t/;r]  *  [iq,  u2\  E  b  i  :  er 
E;  T;  13;  T;  A  —*  3 x:a.s  *  [ui,  u2\ 


3R 


E,  x:cr ;  ^R;  E;  T;  A,  s  *  [rti,  u2]  —>  r  *  [u^,  u'2\ 
E;  SF;  E\  T;  A,  3x:cr.s  *  [ui,u2\  ■  r  *  [u^,  it2] 


3L 


Figure  9.3:  BLl:  Sequent  calculus,  part  2 


of  a  left  rule  or  the  rule  (init)  in  the  proof.  This  should  also  be  intuitive  because  left  rules 
analyze  (and  therefore  consume)  hypothesis. 
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We  have  to  be  more  careful  when  the  connectives  &  and  ©  are  included.  For  instance,  in 
the  rule  (&R) ,  the  linear  hypotheses  are  replicated  in  the  two  premises,  and  a  naive  counting 
of  uses  of  resources  as  explained  above  would  suggest  that  each  resource  appearing  n  times 
in  the  linear  hypotheses  in  the  conclusion  has  been  used  2 n  times  in  the  proof  (n  times 
in  each  premise).  A  similar  problem  arises  for  the  rule  (©L).  Therefore,  when  counting 
the  number  of  uses  of  a  linear  hypothesis  above  either  the  rule  (&R)  or  the  rule  (ffiL)  in  a 
derivation,  the  uses  in  any  one  premise  should  be  counted.  This  can  be  intuitively  justified 
as  follows.  From  the  assumption  si  &  s2  *  [tq,u2],  we  are  only  allowed  to  obtain  one  of 
the  conjuncts  (rules  (&  Li)  and  (&  L2)),  so  only  one  of  the  premises  of  a  proof  ending  in 
(&R)  can  be  used  if  the  proof  were  to  substitute  a  hypothesis  in  another  proof.  The  latter 
becomes  clear  upon  a  careful  scrutiny  of  the  proof  of  admissibility  of  cut  (Theorem  9.5). 
Similarly,  the  rule  (ffiL)  corresponds  to  a  proof  by  cases,  and  again,  only  one  of  its  branches 
will  be  used  when  the  principal  assumption  of  the  rule  is  substituted  by  another  proof. 


9.1.2  Metatheory  of  the  Sequent  Calculus 

In  this  section  we  prove  several  interesting  metatheoretic  properties  of  the  sequent  calcu¬ 
lus  of  BLl.  These  properties  are  generalizations  of  properties  presented  in  §4.2.5  for  the 
sequent  calculus  of  BL.  We  start  with  weakening  and  contraction,  which  are  stated  in  the 
following  theorem.  Conspicuously,  neither  weakening  nor  contraction  holds  for  the  linear 
hypotheses  A. 


Theorem  9.1  (Weakening  and  Contraction).  The  following  hold: 


1.  (Weakening) 


(a)  S;$;£;r;AAs*[«i,!i2] 

(b)  E;$;£;T;AAs*[«i,U2] 

(c)  E;^;F;T;  A  A  s  *  [rq,rt2] 

(d)  S;$;£;T;AAs*[«i,!i2] 


implies  E,  x:a:  \k;  E\  T;  A  —>■  s  *  [tq,  it2] 
implies  E;  \k,  c;  E\  T;  A  A  s  *  [rq,  rt2]. 
implies  E;  'L;  E,  i\  T;  A  A  s  *  [iq,  ri2] . 
implies  E;  \k;  E;  T,  J;  A  A  s  *  [rq,  rt2]. 


2.  ( Contraction)  E;  \k;  E]  T,  J,  J;  A  s  *  [iti,  u2]  implies  E;  'L;  E;  T,  J;  A  s  *  [tti,  it2]. 


Further  the  derivation  in  the  consequent  of  each  statement  has  a  depth  no  more  than  that 
of  the  antecedent. 


Proof.  By  separate  induction  on  the  given  derivation  for  each  property.  □ 

Theorem  9.2  (Instantiation).  E,  x:cr;  SR ;  E\  T;  A  —>  s  ★  [rq,tt2]  and  E  h  t  :  a  imply 
E;  E[t/x\]  Y\t/x]\h.[t/x]  >  s[t/x\  *  [ui[t/x\,U2[t/x]] 

Proof.  By  induction  on  the  derivation  of  E,  x:a\  'L;  E;  T;  A  —>  s  *  [rq,  u2].  □ 

Theorem  9.3  (View  subsumption).  Suppose  the  following  hold: 

1.  E;  \H;  E-,  T;  A  A  s  *  [iq,  it2] 
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2.  v  =  k0,ub,ue 

3.  E;  'L  |=  fco  k'0,  E;  'L  |=  ub  <  u'b,  and  E;  \h  |=  u'e  <  ue. 

4 ■  v'  =  k'Q , u'b, u'e 

v' 

Then  E;  'll;  E\  T;  A  — >  s  *  [ui,  u2\  by  a  derivation  of  smaller  or  equal  depth. 

Proof.  By  induction  on  the  given  derivation  of  E ;  SB ;  ;  T ;  A  A  s  *  [ui,  1*2]  and  case  analysis 

of  its  last  rule.  □ 

Theorem  9.4  (Time  subsumption).  Suppose  the  following  hold: 

1.  E;  \H;  E\  T;  A  A  s  *  [u\,  u2\ 

2.  E;  4/  |=  «i  <  un 

3.  E;  \H  |=  um  ft  U2 

Then  E;  'll;  E\  T;  A  s  *  [ un ,  um\  ■ 

Proof.  By  induction  on  the  depth  of  the  given  derivation  of  E;  4*; -E;  T;  A  A  s  *  [«i,?/2] 
and  case  analysis  of  its  last  rule,  as  in  the  proof  of  Theorem  4.11.  The  proof  appeals  to 
Theorem  9.3  for  the  cases  (saysR)  and  (onceR),  and  for  the  case  (— < °R),  we  appeal  to  a  lemma 
which  states  that  E;^  |=  c  and  E;  'L,  c;  E\  T;  A  s  *  [u\,u2]  imply  E;  \T;  £1;  T;  A  A  s  * 
[tti,  tt2]  •  The  latter  follows  by  a  straightforward  induction  on  the  derivation  of  E;  'L,  c;  E;  T; 
s  -k  [ui,u2]. 

Theorem  9.5  (Admissibility  of  cut).  The  following  four  properties  hold: 

1.  Suppose  that 

(a)  E;  \H;  E;  T;  Ai  s  *  [it!,  u2\  and 

(b)  E;  E;  T;  A2,  s  *  [ui,u2]  s'  *  [u^u^] 

Then  E;  \H;  E;  T;  Ai,  A2  s'  *  [u) ,  u'2\. 

2.  Suppose  that 

(a)  E;  \H;  E;  T;  •  A  s  *  [t^,  rt2]  anc[ 

(b)  E o  [ui,u2];  A  *  [?4,f4] 

T/ien  E;$;£;r;A-^s'*  [w) ,  ul,] . 

3.  Suppose  that 

(a)  E;  \H;  E;  T|;  Ai|  ^i^s*[«i,u2] 

(b)  E;  'L;  E;  T;  A2,  k  claims  s  *  [u\,  u2]  —>  s'  *  [tt^,  u'2] 
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Then  E;  \h;  E\  T;  Ai| ,  A2  s'  *  [u\ .  iff . 

4-  Suppose  that 

(a)  E;tf;£7;r|;-  s  ★  [«i,  «2] 

(b)  E;  'L;  E;  T,  k  claims  so  [rti ,  rt2] ;  A  — >  s'  *  [u\ .  uf 

Then  E;f;fi;E;A  As'*  [u\ .  u'2]  ■ 

Proof.  By  a  simultaneous  lexicographic  induction,  first  on  the  size  of  the  cut  formula  s, 
then  on  the  orders  (2)  >  (1),  (3)  >  (1),  and  (4)  >  (1),  and  finally  on  the  depths  of  the  two 
given  derivations,  as  in  prior  work  [43,  54,  66].  □ 

Theorem  9.6  (Identity).  If  E;  \k  \=  u\  <  u 4  and  E;\k  \=  u'2  <  U2,  then  E;  E;  T;  s  * 
[ui,U2\  ^  s*  [u^uf. 

Proof.  By  induction  on  s.  □ 


9.2  Examples  of  Use 

In  this  section  we  present  two  examples  of  policies  that  use  linearity  to  encode  motifs  like 
consumable  credentials,  and  real  expendable  resources  like  money.  These  examples  are 
illustrative,  primarily  intended  to  enumerate  the  expressiveness  of  BLl.  Other  examples  on 
the  use  of  linearity  in  the  context  of  authorization  may  be  found  in  prior  work  [54,  66] . 

Consumable  credentials.  The  simplest  use  of  linearity  is  in  modeling  consumable  cre¬ 
dentials,  which  we  illustrate  through  a  hypothetical  example  inspired  by  the  Grey  sys¬ 
tem  [20].  Assume  that  access  to  doors  in  certain  offices  is  controlled  through  proof-carrying 
authorization,  and  that  the  owner  of  an  office  is  allowed  to  decide  who  may  enter  an  office. 
Assuming  that  the  predicate  mayenter  K ’  K  means  that  K'  may  enter  the  office  of  K,  and 
that  admin  has  ultimate  authority  on  access,  the  following  policy  rule  gives  each  principal 
K  authority  to  decide  who  may  enter  her  office.  (As  in  §8,  variables  in  uppercase  letters 
are  universally  quantified  immediately  after  the  annotation  claims.) 

admin  claims  (( K  once  (mayenter  K ’  K))  — o  (mayenter  K'  K ))  o  [—00, +00] 

The  policy  rule  is  unrestricted  (it  can  be  used  any  number  of  times)  since  it  contains  the 
symbol  o,  not  *.  Use  of  the  connective  once  in  the  policy  rule,  as  opposed  to  says,  is 
important  because  it  gives  every  principal  the  ability  to  allow  another  principal  access  to 
her  office  only  once.  For  example,  in  conjunction  with  the  previous  policy  rule,  the  following 
consumable  credential  issued  by  Alice  would  allow  Bob  to  enter  Alice’s  office  at  most  once  in 
the  interval  in  the  week  January  01,  2009  -  January  07,  2009.  After  Bob  uses  this  credential 
once,  it  will  be  marked  consumed  by  the  reference  monitor,  so  Bob  will  not  be  able  to  enter 
Alice’s  office  again  using  this  credential. 

Alice  claims  (mayenter  Bob  Alice)  *  [2009:01:01,2009:01:07] 
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It  is  easy  to  check  that  the  above  two  assumptions  entail  that  admin  once  (mayenter  Bob 
Alice)  *  [2009:01:01,2009:01:07]  and  that  this  would  not  be  the  case  if  we  replace  once  by 
says  in  the  first  rule.  Also  observe  that  both  linearity  and  time  restrict  the  use  of  the  second 
credential,  but  in  different  ways. 

Had  Alice  wanted  to  allow  Bob  unlimited  access  to  her  office  during  the  week  January 
01,  2009  -  January  07,  2009,  she  could  have  issued  the  following  unrestricted  credential  in 
place  of  the  second  credential  above. 

Alice  claims  (mayenter  Bob  Alice)  o  [2009:01:01,2009:01:07] 

Using  the  first  and  the  third  assumptions  above,  it  is  possible  to  derive  in  BLl  the  judgment 
admin  says  (mayenter  Bob  Alice)  *  [2009:01:01,2009:01:07],  which  would  allow  Bob  to 
access  Alice’s  office  any  number  of  times  during  the  week. 

Modeling  actual  state.  Using  constraints  and  linearity,  it  is  possible  to  model  actual 
system  state  and  to  even  keep  track  of  expendable  resources  like  money  in  the  logic.  For 
instance,  the  following  rule  formalizes  the  fact  that  an  individual  K  possessing  $N  initially 
(predicate  hasmoney  K  N )  may  spend  $10  to  buy  a  movie  ticket  from  the  theater  (formula 
theater  once  (ticket  K )),  leaving  the  individual  with  $(N  —  10). 

((hasmoney  K  N )  <8>  ( N  >  10)  <g>  (is  N'  ( N  —  10))) 

— °  ((hasmoney  K  N')  <g)  (theater  once  (ticket  K)))  o  [— oo,+oo] 

The  above  rules  expresses  a  state  transition  that  reduces  the  amount  of  money  K  has  and 
generates  an  authorization  (ticket)  in  return.  The  ticket  may  be  used  by  the  individual  to 
enter  the  theater,  which  we  express  as  follows. 

theater  claims  ((ticket  K)  — o  (mayenter  K  theater))  o  [— oo,+oo] 

As  an  example,  the  above  two  policy  rules  and  the  linear  hypothesis  (hasmoney  Alice  30)  * 
[— oo,  Too]  together  entail  the  following  judgment  in  BLl  which  means  that  Alice  could 
access  the  theater  thrice  and  be  left  with  no  money. 

((theater  once  (mayenter  K  theater))  <g) 

(theater  once  (mayenter  K  theater))  <g> 

(theater  once  (mayenter  K  theater))  <g> 

(hasmoney  Alice  0))  o  [— oo,Too] 

In  this  example,  linearity  has  been  used  to  model  an  expendable  resource  (money),  but 
consumption  of  the  resource  is  not  tracked  via  a  reference  monitor.  Instead  a  linear  predicate 
hasmoney  K  N  that  models  actual  possession  of  money  is  consumed  and  updated  by  the 
first  rule.  More  examples  of  such  use  of  linearity  may  be  found  in  prior  work  [66].  It  should 
also  be  noted  that  the  predicate  ticket  K  produced  by  the  first  rule  and  consumed  by  the 
second  is  a  consumable  credential  in  the  sense  mentioned  in  the  opening  of  this  chapter. 
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9.3  Enforcement  with  Procaps 

In  the  opening  of  this  chapter  we  proposed  a  simple  strategy  that  may  be  employed  to 
enforce  correct  use  of  consumable  credentials  using  BLl  and  proof-carrying  authorization 
(without  procaps).  In  that  strategy  we  suggested  that  consumable  credentials  used  in  a 
proof  be  assumed  in  the  linear  hypotheses,  and  that  the  proof  verifier  keep  track  of  the 
number  of  times  each  consumable  credential  has  been  used  by  counting  the  number  of 
its  occurrences  in  the  linear  hypotheses  of  each  proof  it  successfully  verifies.  Now  we  ask 
whether  this  strategy  can  be  adapted  to  PCFS  where  proofs  are  verified  ahead  of  access. 
There  are  two  possibilities  for  tracking  consumable  credentials  in  PCFS: 

-  The  proof  verifier  may  track  consumable  credentials,  and  refuse  to  issue  procaps  for 
proofs  that  rely  on  exhausted  credentials. 

-  The  file  system  back  end  may  track  consumable  credentials,  relying  on  the  proof 
verifier  to  correctly  transfer  the  list  of  consumable  credentials  from  proofs  it  verifies 
to  procaps  it  generates. 

The  first  method,  although  clearly  advantageous  in  that  it  does  not  increase  the  procap¬ 
checking  burden  of  the  back  end,  is  not  appropriate  because  it  suffers  from  two  related 
problems.  First,  it  allows  a  principal  to  generate  a  procap  using  a  proof  that  relies  on 
consumable  credentials  and  to  use  the  procap  for  access  again  and  again,  possibly  circum¬ 
venting  the  bound  on  the  number  of  uses  of  the  consumable  credentials  used  in  the  proof. 
Second,  it  is  possible  to  verify  a  proof,  but  never  use  the  procap  generated  from  it,  thus 
wasting  consumable  credentials  used  in  the  proof  which  may  have  been  helpful  for  prov¬ 
ing  other  authorizations.  Owing  to  these  problems,  for  PCFS,  the  second  method  may  be 
more  suitable.  Accordingly,  consumable  credentials  can  be  enforced  using  BLl  in  the  PCFS 
architecture  as  follows. 

-  Each  certificate  establishing  a  consumable  credential  is  distinctly  marked  by  the  cre¬ 
ator  as  being  consumable.  The  number  of  times  such  a  credential  can  be  used  is 
made  available  to  the  reference  monitor  in  the  PCFS  back  end.  (Details  on  this  follow 
below.) 

-  During  proof  verification,  the  proof  verifier  requires  that  any  hypothesis  established 
by  a  certificate  marked  as  consumable  (previous  point)  be  assumed  as  a  resource, 
possibly  repeated  many  times.  The  inference  rules  of  BLl  now  ensure  that  each 
consumable  credential  is  used  in  the  proof  exactly  the  number  of  times  it  is  repeated 
in  the  linear  hypotheses.  The  proof  verifier  puts  the  identity  of  each  consumable 
credential  occurring  in  the  linear  hypotheses  of  a  proof  as  well  as  the  number  of  times 
it  appears  in  the  linear  hypotheses  into  the  procap  it  generates  from  the  proof. 

-  Whenever  the  PCFS  back  end  retrieves  and  checks  a  procap,  it  increases  (in  an  internal 
database)  the  number  of  uses  of  each  consumable  credential  as  mentioned  in  the 
procap.  If  the  count  of  any  consumable  credential  exceeds  its  maximum  stipulated 
use,  then  the  procap  is  rejected,  else  its  other  conditions  are  checked  as  discussed 
in  §5.2. 
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An  important  question  we  have  not  yet  addressed  is  how  the  PCFS  back  end  learns  the 
identities  and  maximum  stipulated  use  of  each  consumable  credential.  (A  similar  question 
arises  if  the  proof  verifier  tracks  use  of  consumable  credentials  in  proof-carrying  authoriza¬ 
tion  without  procaps.)  One  possibility  in  this  regard,  which  may  be  easy  to  implement  in 
a  centralized  system  like  the  current  implementation  of  PCFS,  is  to  require  that  creators 
of  consumable  credentials  report  them  to  the  back  end,  which  could  maintain  a  central 
database  of  such  reports.  A  procap  relying  on  any  consumable  credential  not  reported  to 
the  back  end  could  be  immediately  rejected.  In  a  fully  distributed  setting,  it  may  be  im¬ 
plausible  to  assume  that  all  consumable  credentials  ever  issued  would  be  reported  to  the 
back  end.  In  that  case,  the  back  end  may  contact  issuers  of  credentials  on  a  need-only  basis. 
More  so,  the  issuers  may  themselves  keep  track  of  use  of  credentials  they  issue,  and  update 
their  records  when  the  back  end  contacts  them.  However,  the  latter  approach  results  in 
an  atomicity  problem  -  either  all  issuers  of  consumable  credentials  mentioned  in  a  procap 
should  update  their  records  and  the  back  end  must  know  this  so  that  it  can  proceed,  or 
none  should  and  the  back  end  must  know  this  so  that  it  can  reject  the  procap.  Bowers  et  al. 
discuss,  implement,  and  evaluate  the  performance  of  contract  signing  protocols  for  solving 
this  atomicity  problem  in  the  context  of  proof-carrying  authorization  without  procaps  [34] . 


9.4  Related  Work 

Linearity  was  first  introduced  in  a  classical  logic  by  Girard  [71].  Intuitionistic  versions  were 
later  considered  by  several  authors,  e.g.,  [9,  27,  140].  In  a  judgmental  form  that  we  build 
upon,  the  logic  was  first  presented  by  Chang  et  al.  [39].  Going  beyond  linear  logic,  Wright 
[144]  described  a  meta-logic  in  which  the  uses  of  each  hypothesis  are  explicitly  counted  by 
annotations.  Wright’s  annotations  are  more  general  than  replication  of  hypotheses  suggested 
in  this  chapter  because  annotations  can  be  used  to  encode  many  different  logics  of  resources 
including  linear  logic. 

In  the  context  of  authorization,  there  has  been  limited  work  on  the  use  of  linearity. 
The  area  was  pioneered  in  the  work  of  the  author  and  others  [66],  where  linearity  was 
considered  for  expressing  not  only  consumable  credentials  but  also  for  expressing  elements 
of  state,  knowledge  of  individuals,  and  authorization-guarded  transitions  on  both.  The 
paper  also  showed  that  invariant  properties  of  state  may  be  formally  expressed  and  verified 
in  logical  proofs.  The  latter  idea  has  been  developed  and  refined  significantly  in  recent  work 
by  DeYoung  and  Pfenning  [55]. 

Bowers  et  al.  [34]  implemented  and  tested  enforcement  of  consumable  credentials  using 
linear  logic  to  track  use  of  consumable  credentials  in  proofs,  and  contract  signing  protocols 
to  track  their  use  in  the  reference  monitor.  Independent  of  other  work  mentioned  above, 
Cederquist  et  al.  [37]  developed  a  logic  for  auditing  authorization  violations  on  traces  that 
contained  a  limited  form  of  linearity  for  recording  authorizations  that  may  be  used  once 
only.  Barth  and  Mitchell  [17]  proved,  in  the  context  of  digital  rights  management,  that 
all  strategies  for  selecting  consumable  credentials  to  authorize  a  request  without  knowing 
future  requests  suffer  from  a  common  problem  of  non-monotonicity:  replacing  a  credential 
by  a  more  general  credential  may  cause  the  algorithm  to  behave  worse  in  the  future.  Using  a 
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fragment  of  linear  logic  for  expressing  digital  rights  they  further  showed  that,  under  certain 
conditions  on  formulas  representing  the  rights,  nronotonicity  can  be  recovered. 

A  combination  of  linearity  and  explicit  time  was  explored  earlier  in  the  author’s  joint 
work  on  i]  logic  [54],  later  developed  in  great  depth  in  DeYoung’s  undergraduate  thesis  [53]. 
Although  the  fundamental  nature  of  the  says  modality  in  r/  logic  is  different  from  that  in 
BL,  and  in  particular,  the  linear  version  of  r/  logic  contains  only  one  says  connective  not 
two  like  BLl,  many  of  the  ideas  that  this  chapter  builds  on  owe  at  least  a  vague  allegiance 
to  that  work.  The  direct  inspiration  for  the  methods  and  work  in  this  chapter,  however,  is 
the  author’s  earlier  joint  work  [66] . 
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In  this  thesis  we  have  introduced  proof  theory  and  metatheory  in  the  context  of  autho¬ 
rization  logic,  explained  their  foundational  and  practical  importance  through  a  new  logic 
BL,  developed  a  logic-based,  provably  correct  mechanism  for  enforcing  dynamic  policies  in 
operation-intensive  systems,  and  demonstrated  feasibility  of  the  latter  by  implementing  and 
testing  it  in  a  new  file  system,  PCFS.  We  expect  that  the  architecture  for  authorization 
proposed  in  this  thesis  will  be  useful  in  applications  besides  PCFS,  and  hope  that  it  leads 
to  formally  grounded,  efficient  enforcement  of  access  access  control  policies  in  operation¬ 
intensive  interfaces.  In  this  final  chapter  we  list  some  broad  themes  for  future  work  that 
either  complement  or  build  upon  the  work  of  the  thesis. 

The  overall  purpose  of  access  control,  of  which  the  work  in  this  thesis  is  a  part,  is  to 
provide  security  for  sensitive  components  of  computer  systems.  Successfully  attainment  of 
this  goal  requires  careful  consideration  of  not  only  authentication  and  authorization  mech¬ 
anisms,  but  also  usability  of  the  access  control  framework.  Accordingly,  complementary  to 
the  work  in  this  thesis,  it  may  be  useful  to  develop  a  front  end  for  authoring  authorization 
policies,  converting  them  to  logical  form,  and  checking  them  for  well-formedness.  Such  a 
front  end  may  be  necessary  in  some  cases  for  at  least  two  reasons.  First,  it  may  be  unrea¬ 
sonable  to  expect  that  system  administrators  responsible  for  creating  authorization  policies 
would  always  understand  logical  syntax,  so  policy  authoring  tools  that  incorporate  common 
policy  creation  workflows  and  automatically  translate  them  to  logic  may  be  essential.  Prior 
work  on  the  Grey  system  has  considered  these  issues  [19,  20].  Second,  it  may  be  necessary 
to  check  policies  for  well-formedness  before  using  them  for  enforcement.  Such  checks  may 
not  only  ensure  that  principals  have  not  exceeded  their  jurisdiction  in  creating  policies,  but 
may  also  ascertain  that  policies  are  well-moded  to  aid  automatic  proof  search.  We  alluded 
to  the  possibility  of  mode  checks  and  their  importance  in  §6.4.  A  policy  front  end  may  also 
compile  or  residuate  policy  clauses  to  aid  automatic  proof  search. 

Another  possible  line  of  work  is  to  use  saturating  search  a  la  Datalog  to  find  all  con¬ 
sequences  of  policies  and  to  generate  all  possible  procaps  through  a  centralized  inference 
engine,  and  hence  enforce  the  policies  without  the  use  of  explicit  proofs.  Abduction  tech- 
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niques  from  logic  programming  [24,  51]  may  help  find  relevant  conditions  (constraints  and 
interpreted  predicates)  that  would  allow  access  from  policies  that  are  dynamic.  On  the 
subject  of  enforcement  of  policies,  an  important,  open  question  is  that  of  lower  bounds  on 
the  complexity  of  distributed  tracking  of  consumable  credentials,  as  discussed  in  §9.3. 

It  also  seems  plausible  to  analyze  policies  against  meta-level  correctness  criteria  using 
proof  theoretic  methods.  Beginnings  of  such  analysis  were  made  in  prior  joint  work  of  the 
author  and  Pfenning  [67]  under  the  name  of  non-interference  properties,  and  also  in  the  work 
of  Abadi  [5].  It  may  be  of  significant  practical  use  to  expand  the  analysis  in  these  papers,  to 
propose  a  language  for  expressing  meta-level  correctness  criteria  for  authorization  policies 
expressed  in  logic,  and  to  develop  analysis  for  checking  against  these  criteria  automatically. 

Finally,  even  though  authorization  policies  establish  legitimacy  of  single  accesses,  many 
relevant  security  properties  of  systems  are  the  consequence  of  interaction  between  several 
accesses  and  ensuing  state  changes.  Developing  foundational  methods  that  combine  au¬ 
thorization  policies  expressed  in  logic  with  information  about  workflows  or  programs  that 
govern  system  behavior  in  order  to  establish  relevant  invariant  properties  of  state,  or  even 
arbitrary  safety  properties  is  an  interesting  topic  of  further  research,  at  least  to  the  author. 
Some  work  on  the  subject  already  exists,  e.g.,  [25,  55,  66],  but  a  lot  still  needs  to  be  done 
to  make  the  methods  useful  for  analysis  of  practical  systems. 
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Appendix  A 

Proofs  and  Other  Details  from  §3 


A.l  Axiomatic  Proof  System  for  BL^ 


In  §3.1,  we  presented  some  rules  and  axioms  for  the  axiomatic  system.  Here,  we  list  all  the 
rules  and  axioms,  including  those  listed  earlier. 


S  s 


£  b -ft  k  says  s 


-N 


£  \~t-i  s  A  s'  £  \~t~i  s 
£  \~n  s' 


-rnp 


£,  x:a  b- t-c  s  A  s'  x  0  s 
£  h-ft  s  A  Vx:er.s' 


U 


£,  x:a  \~t-i  k  says  (s  A  s')  x  0  s,  k 
£  \~t-i  k  says  (s  A  Vx:o\s') 


F 


£,  x:a  \~t-i  s  A  s'  x  0  s' 
£  \~t-i  (3x:<7.s)  A  s' 


E 


Axioms: 


£,  x:a  \~ji  k  says  (s  3s()  x  0  s' ,  k 
£  b-ft  A;  says  ((3x:cr.s)  A  s') 


G 


£  \~t-i  {k  says  (si  A  S2))  A  ((&  says  si)  A  (k  says  S2))  (K) 


£  \~n  ( k  says  s)  A  &'  says  k  says  s  (I) 

£  b-^  k  says  ((A:  says  -s)  A  s)  (C) 

£  b-^  ( k  says  s)  A  k'  says  s  if  £  b  k  >z  k'  (S) 

£  \~-h  s  A  (r  A  s)  (irnpl) 

£  \--h  (s  A  s')  A  ((s  A  (s'  A  s"))  A  (s  A  s"))  (imp2) 

£  b-^  s  A  (s'  A  (s  A  s'))  (conjl) 

£  b-ft  (s  A  s')  A  s  (conj2) 

£  b-^  (s  A  s')  A  s'  (conj3) 

£  \~n  s  A  (s  V  s')  (disjl) 

£  b-ft  s'  A  (s  V  s')  (disj2) 

£  bH  (s  A  s")  A  ((s'  A  s")  A  ((s  V  s')  A  s"))  (disj3) 

£  b ft  T  (true) 

£  b i-i  1  As  (false) 

£  b-ft  (Vx:<r.s)  A  s[t/x\  if  £  b  t  :  a  (instU) 

£  b-ft  s[t/x\  A  3x:a.s  if  £  b  t  :  a  (instE) 
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Next  we  introduce  a  proof  tool:  a  generalized  axiomatic  system,  which  allows  hypotheses. 
We  write  E;  T  \~g  s  to  mean  that  if  E  \~n  s'  for  each  s'  in  T,  then  E  \~n  s.  The  rules  of  the 
generalized  axiomatic  system  are  shown  below  (axioms  from  above  are  unchanged). 


E;  T,  s  hg  s 


-use 


E;  •  hg  s 


-N 


U 


E;  T  hg  k  says  s 

E,  x:a ;  T  hg  s  A  s'  x  ^T,s 
E;  T  hg  s  A  V x:a.s' 

E,  x:a;  T  hg  s  A  s'  x  0  T,  s' 
E;  T  hg  (zlaxcr.s)  A  s' 


E 


E  \~t-i  s  is  an  axiom 


-ax 


-mp 


E;T  Hg  s 

S;T  hg  s  A  s'  E;T  hg  s 
E;  T  b6  s' 

E,  x:a;  ■  b  g  k  says  (s  As7)  x  0  T,  s,  k 

E;  T  hg  k  says  ( s  A  \/x:a.s') 

S ,x:a;  ■  h g  k  says  (s  D  s')  x  0  T,  s',  k 
E;T  \~g  k  says  ((dxicr.s)  A  s') 


G 


Now  we  prove  some  basic  properties  of  the  generalized  axiomatic  system. 

Lemma  A.l  (Basic  properties).  The  following  hold. 

1.  (Weakening)  E;T  \~g  s  implies  E^T7  \~g  s. 

2.  (Substitution)  E;  T  hg  s  and  E;  T,  s  h g  s'  imply  E;  T  h g  s' . 

3.  (Deduction)  E;  T  \~g  s  A  s'  if  and  only  if  E;  T,  s  \~g  s' . 

4 ■  (Equivalence)  E;  •  \~g  s  if  and  only  if  E  s. 

Proof.  (1)  follows  by  induction  on  the  given  derivation.  (2)  follows  by  induction  on  the 
second  given  derivation. 

The  “only  if”  direction  of  (3)  follows  directly  from  the  rules  (use)  and  (mp):  given  that 
E;  T  hg  s  A  s' ,  we  get  E;  T,  s  hg  s  A  s'  by  (1),  and  E;  T,  s  \~g  s  from  rule  (use).  Using  (mp) 
on  the  last  two  derivations,  we  get  E;  T,  s  \~g  s'  as  required. 

The  “if”  direction  of  (3)  follows  by  an  induction  on  the  derivation  of  S;T,  s  \~g  s'.  This 
is  somewhat  tedious,  but  standard. 

Each  direction  of  (4)  follows  by  a  simple  induction  on  the  given  derivation.  □ 


A. 2  Proof  of  Theorem  3.13 

In  this  section  we  present  those  details  of  the  proof  Theorem  3.13  that  were  not  presented 
in  §3.3.  In  particular  we  show  here  that  the  natural  deduction  system  for  BL5  can  be 
simulated  in  the  axiomatic  system  and  that  the  axiomatic  system  can  be  simulated  in  the 
sequent  calculus. 

Lemma  A. 2  (2  =>■  3  from  Theorem  3.13).  E;  T  \~k  s  implies  E  k  says  (T  As). 
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Proof.  By  Lemma  A. 1.4,  it  suffices  to  show  that  E;T  \~k  s  implies  E;  •  \~g  k  says  (r  D  s). 
We  prove  this  by  induction  on  the  derivation  of  E;  P  bfc  s,  and  show  some  of  the  interest¬ 
ing  cases  below.  Basic  transformation  steps  in  the  axiomatic  system  such  as  Currying  and 
un-Currying  are  often  performed  implicitly. 


Case. 


-hyp 


Case 


E;T,sbfc  s' 

To  show:  E;  •  hg  k  says  ((T  A  s)  D  s) 

1.  E;  •  hg  (r  A  s)  D  s 

2.  E;  •  h g  k  says  ((T  A  s)  D  s) 

T,\-  k  y  ko 


(Axiom  (conj3)) 
(Rule  (N)  on  1) 


-claims 


E;  T,  k  claims  s  bfc°  s 

To  show:  E;  •  h g  k q  says  ((T  A  (k  says  s))  D  s ) 

1.  E;  •  b g  k  says  ((k  says  s)  D  s ) 

2.  E;  ■  b g  (( k  says  s)  D  s)  D  ((T  A  (k  says  s))  D  s) 

3.  E;  ■  h g  k  says  (((k  says  s)  D  s)  D  ((T  A  (. k  says  s))  D  s)) 

4.  E;  ■  hg  (A;  says  (( k  says  s)  D  s))  D  k  says  ((T  A  (k  says  s))  D  s) 

(Axiom  (K)  and  rule  (mp)  on  3) 


(Axiom  (C)) 
(Simple  theorem  in  Q) 
(Rule  (N)  on  2) 


5.  E;  •  h g  k  says  ((T  A  ( k  says  s))  D  s ) 

6.  E;  •  \~g  ko  says  ((T  A  ( k  says  s))  D  s) 

E,  x:cr;  T  bfc  s 

Case.  - 7 - VI 

E;  T  bfc  \/x:a.s 

To  show:  E;  •  b g  k  says  (T  D  Va::<r.s) 

1.  E,  x:cr;  •  b g  k  says  (T  D  s) 

2.  E;  ■  b g  k  says  (T  D  Vx:a.s) 

S:  n  bfc  - 


(Rule  (nrp)  on  4,1) 
(Axiom  (S)  and  rule  (mp)  on  5) 


(i.h.  on  premise) 
(Rule  (F)  on  1) 


Case. 


E;r  bfco  k 


says  s 


-saysl 


To  show:  E;  •  hg  ko  says  (T  D  k  says  s) 

Let  T|  =  k]  claims  s±,. . .  ,kn  claims  sn. 

1.  E;  •  b g  k  says  ((( k\  says  si)  A  . . .  A  (kn  says  sn))  D  s ) 


(i.h.  on  premise) 
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2.  E;  •  hg  ((k  says  k\  says  si)  A  ...  A  (A;  says  kn  says  sn))  D  k  says  s 

(Axiom  (K)  and  rule  (mp)  on  1) 


3.  E;  k  says  k\  says  s\, . . .  ,k  says  kn  says  sn  h g  k  says  s 

4.  E;  •  \~g  ( ki  says  sf)  D  k  says  ki  says  st 

5.  E ;  ki  says  S{  \~g  k  says  ki  says  Sj 

6.  E;  k\  says  si, . . . ,  kn  says  sn  hg  k  says  s 

7.  E;  T  \~g  k  says  s 

8.  E;  •  \~g  T  D  k  says  s 

9.  E;  •  b g  ko  says  (T  D  k  says  s) 


(Lemma  A. 1.3  on  2) 
(Axiom  (I)) 
(Lemma  A. 1.3  on  4) 
(Lemma  A. 1.2  on  5,3) 
(Lemma  A.  1.1  on  6) 
(Lemma  A. 1.3  on  7) 
(Rule  (N)  on  8) 


Case. 


E;r  bfco  k 


says  s 


E;  T,  k  claims  s  bfc°  s' 


saysE 


s;r  bfco  s' 

To  show:  E;  •  hg  ko  says  (r  3  s') 

1.  E;  •  \~g  ko  says  (r  D  k  says  s) 

2.  E;  •  b g  ko  says  ((T  A  k  says  s)  D  s') 

3.  E;  •  \~g  ko  says  (r  D  ( k  says  s)  D  s') 

4.  E;  ■  hg  (T  D  k  says  s)  D  ((T  D  ( k  says  s)  D  s')  3(fD  s')) 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Currying  on  2) 
(Axiom  (imp2)) 


5.  E;  •  b g  (ko  says  (r  D  k  says  s))  D  ((ko  says  (r  D  ( k  says  s)  D  s'))  D  ko  says  (r  D  s')) 
(Axiom  (K),  rule  (mp)  on  4) 


6.  E;  •  \~g  (ko  says  (r  D  (k  says  s)  D  s'))  D  feo  says  (r  D  s') 

7.  E;  ■  bg  ko  says  (T  D  s') 

Lemma  A. 3  (3  =>  1  from  Theorem  3.13).  E  b^  s  implies  E;  ■ 


ko 


(Rule  (nrp)  on  5,1) 
(Rule  (nrp)  on  6,3) 
□ 

s  for  every  ko . 


Proof.  We  induct  on  derivation  of  E  b^  s,  case  analyzing  the  last  rule  in  it.  Some  of  the 
interesting  cases  are  shown  here. 


Case. 


S  \~n  s 


E  b>{  k  says  s 


-N 


To  show:  E; 


k0 


k  says  s 


1.  £;• 


(i.h.  on  premise) 
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2.  E;  •  h  k  says  s 

s  3  s'  SI"hs 
Case.  - 7 - mp 

£  l-w  s' 

To  show:  E;  •  s' 


1. 

2. 

3. 

4. 

5. 

6. 
7. 


E;AS3s' 

E;-  s 

—  /  *0 

h;  s  D  s  ,  s  — >5 

.  /  /  /CO  / 

L;OS,5,S  — >  5 
E;s3  s',  s  s' 
S;s  %  s' 

E;  ■  s' 


(Rule  (saysR)  on  1) 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Theorem  3.11) 
(Theorem  3.11) 
(Rule  (dL)  on  3,4) 
(Theorem  3.10  on  5,1) 
(Theorem  3.10  on  6,2) 


E,  x:a  \~n  k  says  (s  D  s')  x  0  s,  k 

Case.  - - - 7- - F 

E  \~t-i  k  says  (s  A  Vx:<j.s  ) 

To  show:  E;  •  k  says  (s  A  Vx:o\s') 

-I  /co  7  / 

1.  2j,  x:<t;  •  — »  /c  says  sDs 

o  C  *0  — v  / 

z.  2j,  x:cr;  •  — »  s  D  s 

3.  E,  x:cr;  s  s' 

4.  E;  s  Vx:a.s' 

5.  E;  •  s  A  Vaxcr.s' 

6.  E;  •  fco  saYs  (s  A  Vx:er.s') 

Case.  E  (A:  says  (si  A  S2))  A  ((A:  says  si)  A  (A:  says  S2)) 

kn 

To  show:  E;  •  -A  (A;  says  (si  A  S2))  A  ((A;  says  si)  A  (k  says  S2)) 

k 

1.  E;  k  claims  (si  A  S2),  A:  claims  si,  si  A  S2,  si  — >  si 

k 

2.  E;  k  claims  (si  A  S2),  k  claims  si,  si  A  S2,  si,  s 2  — >  S2 


(i.h.  on  premise) 
(Inversion  on  1) 
(Inversion  on  2) 
(Rule  (VR)  on  3) 
(Rule  (AR)  on  4) 
(Rule  (saysR)  on  5) 
Axiom  (K) 
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3.  E;  k  claims  (si  D  S2),  k  claims  s  1,  si  D  S2,  si  — >  S2  (Rule  (dL)  on  1,2) 

k 

4.  E;  fc  claims  (si  D  S2),  A;  claims  si  — >  S2  (Rule  (claims)  on  3) 

5.  E;  k  claims  (si  D  S2),  k  claims  si,  k  says  (si  D  S2),k  says  s\  -4  k  says  S2 

(Rule  (saysR)  on  4) 
(Rule  (saysL)  on  5) 
(Rule  (dR)  on  6) 
□ 


kn 

6.  E;  fc  says  (si  D  S2),  k  says  si  — A  k  says  S2 


7.  E; 


fco 


(A:  says  (si  D  s 2))  D  (( k  says  si)  D  (A  says  s2)) 


A. 3  Proofs  from  §3.5.1 

Theorem  A. 4  (Soundness;  Theorem  3.16).  IfT,]T  — >  7  m  GP  logic,  then  rE;r  — >  7n  in 
BLS. 

Proof.  By  induction  on  the  given  sequent  calculus  proof  of  E;  T  — >  7,  and  case  analysis  of 
the  last  rule.  We  show  some  representative  cases  here. 


Case. 


-init 


E;T,p  -*p 

To  show:  E;rrn,^  claims  p  4  p.  This  follows  immediately  from  rule  (claims)  in  Fig¬ 
ure  3.3. 


Case. 


E:r 


E;  T  — >  k  affirms  A 


-affirms 


To  show:  E;  rr 


1  says  rAn 


1.  S;rrn  ->  rAn 

k 


2.  E;  rr~ 


says  rA 


(i.h.  on  premise) 
(Rule  (saysR)  on  1;  rrn  =  rrn|) 


E;r,ADP->A  E;T,A  d  B,B  -*  C 

Case.  ^ - — - - - DL 

E;  T,  A  D  B  ->  C 

To  show:  E;  rrn,  £  claims  ((£  says  rAn)  D  (l  says  rPn))  A  rCn 

1.  E;  rrn,  £  claims  ((£  says  rAn)  D  (£  says  rPn))  4  rAn 

2.  E;  rrn,  i  claims  ((£  says  rAn)  D  (£  says  rB~1))  4  £  says  rAn 

3.  E;  rrn,£  claims  ((■!  says  rAn)  D  (£  says  rPn)),£  claims  rBn  4  rCn 
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(i.h.  on  2nd  premise) 

4.  E;rrV  claims  ({£  says  rAn)  D  (£  says  rB^)),  £  says  rB^  4  rCn 

(Rule  (saysL)  on  3) 

5.  S;rrn,£  claims  ((£  says  rAn)  D  (£  says  rB~')),(£  says  rA~l)  D  (£  says  rBn),£  says 

rBn  4  rCn  (Theorem  3.8  on  4) 

6.  S;  rTn,  £  claims  ((£  says  rAn)  D  (£  says  rB^)),  (£  says  rA^)  D  (£saysrB^)  4^ 

(Rule  (dL)  on  2,5) 

7.  E;  T”1,  £  claims  ((£  says  rAn)  D  (£  says  rBn ))  4  rCn  (Rule  (claims)  on  6) 


E;  T ,  A  D  B  —>  A  E;  T,  A  D  B,  B  — >  k  affirms  C 

rse.  ^ - — - - - DL 

E;  T,  A  D  B  — >  k  affirms  C 

To  show:  E;  rTn,  £  claims  {{£  says  r7P)  D  (£  says  rBn))  4  £  says  rCn 

1.  E;rTn,£  claims  ((£  says  rAn)  D  (•£  says  rRn))  4  rAn  (i.h.  on  1st  premise) 

2.  E;rrn,£  claims  ((£  says  rAn)  D  (£  says  rBn))  4  £  says  rAn  (Rule  (saysR)  on  1) 

3.  E;  rrn,£  claims  ((£  says  rAn)  D  (t1  says  rR”l)),£  claims  rBn  4  £  says  rCn 

(i.h.  on  2nd  premise) 

4.  E;  rrn,£  claims  ((£  says  rAn)  D  (£  says  rBn)),£  says  rBn  4  £  says  rCn 

(Rule  (saysL)  on  3) 

5.  E;rrn,£  claims  ((£  says  rAn)  D  (£  says  rB~l)),(£  says  rAn)  D  (£  says  rBn),£  says 

rBn  4  £  says  rCn  (Theorem  3.8  on  4) 

6.  E;rTn,£  claims  ((£  says  rAn)  D  (£  says  rB~')),(£  says  rA~l)  D  (£  says  rRn)  4  £  says 

rCn  (Rule  (dL)  on  2,5) 

7.  E;  T"1,  £  claims  ((£  says  rAn)  D  (£  says  rBn))  4  £  says  rCn  (Rule  (claims)  on  6) 


E;  T  — >  k  affirms  A 

Case.  — - saysR 

E;  T  — ■>  k  says  A 

To  show:  E;  rTn  4  k  says  £  says  rAn 


1.  S:rr_ 


says  rAn 


2.  E;  rTn  — >  k  says  £  says  rAn 


(i.h.  on  premise) 
(Rule  (saysR)  on  1;  rTn  =  rTn|) 


□ 
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A. 4  Proofs  from  §3.5.2 

The  objective  of  this  section  is  to  prove  Theorem  3.20  which  states  that  the  translation 
from  SL  to  BL5  described  in  Figure  3.7  is  sound  and  complete.  We  start  with  the  proof  of 
soundness. 

Lemma  A. 5  (Soundness).  If  A  bp  9,  then  for  any  fresh  constantx,  x:principal;  rrn,  rAn  A 
r3~l- 

Proof.  By  induction  on  the  derivation  of  A  hr  S'  and  case  analysis  of  the  last  rule. 

Cage  (Vxi  .  ,.xn.  ( p  ffi, . .  ■  ,gm))  E  A  dom(fl)  D  xx . .  ,xn  (A  hr 

A  bp  p6 

To  show:  x:principal;  rTn,  rAn  A  pQ 

1.  x:principal;  rrn,  rAn  A  xg$  (i.h.  on  2nd  premise) 

2.  x:principal;  rTn,  rAn  —>  (gi  A  ...  A  gm)6  (Rule  (AR)  on  1) 

3.  x:principal;  rTn,  rAn,p8  A  p0  (Rule  (init)) 

4.  x:principal;  rrn,  rAn,  (( g\  A  ...  A  gm)  D  p)6  A  pO  (Rule  (dL)  on  2,3) 

5.  x:principal;rrn,rA”l,Vxi  . . .  xn.  ((<71  A  . . .  A  gm)  A  p)  A  pQ  (Rule  (VL)  on  4) 

6.  x:principal;  rTn,  rAn  A  pQ  (Contraction  Theorem  3.8  on  5  using  1st  premise) 

Cage  (k  :  A')  £  T  A'  hr  p 
A  hp  k  says  p 

To  show:  x:principal;  rTn,  rAn  A  k  says  p 
Let  A'  =  ci, ... ,  cn. 


1.  ?/:  princi  pa  I ;  Tn,  ran, rcn~1  4  p 

2. 

3.  •;  T"1  A  p  (Rule  (claims)  on  2;  {k  :  A') 

k 

4.  x:principal;  rrn  — *  p 

5.  axprincipal;  rTn  A  k  says  p 


(i.h.  on  premise  for  fresh  y) 
(Theorem  3.7  on  1) 
6  T  implies  ( k  claims  rCjn)  6  rrn) 

(Weakening  on  3) 
(Rule  (saysR)  on  4;  rTn  =  (rrn)|) 

□ 
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To  prove  completeness  of  the  translation,  we  identify  a  class  of  sequents  in  BL5,  called 
regular  sequents,  which  satisfies  two  properties:  (a)  All  sequents  in  the  image  of  the  trans¬ 
lation  r-n  are  regular,  and  (b)  If  the  conclusion  of  any  rule  from  Figure  3.3  is  regular,  the 
premises  must  also  be.  Then  we  define  an  inverse  translation  |  •  |  from  regular  sequents 
to  sequents  of  SL,  such  that  |r-n|  is  the  identity  and  show  that  any  if  a  regular  sequent  is 
provable  in  BLg,  then  its  image  under  |  -  |  is  provable  in  SL.  Completeness  of  r-n  follows 
immediately. 

Before  defining  regular  sequents,  we  prove  basic  properties  about  derivations  in  SL. 
Lemma  A. 6  (Basic  properties  of  SL).  The  following  hold  in  SL 

1.  (Weakening)  If  A  hp  g  then  A,  c  hr  9- 

2.  ( Contraction)  If  A,  c,  c  hr  9  then  A,  c  hr  9- 

3.  (Substitution)  Let  p  be  a  ground  atomic  formula.  Suppose  A  hr  P  and  A ,p  hp  g. 
Then  A  hp  g. 

Proof.  (1)  and  (2)  follow  by  straightforward  inductions  on  given  derivations.  We  prove  (3) 
by  induction  on  the  derivation  of  A ,p  hp  g,  and  case  analysis  of  the  last  rule. 

Case. 

(Vxi  ...xn.  (p  gi, . . . ,gm ))  6  A  ,p  dom(<9)  D  x\ . . .  xn  (A,phr  giO)i& 

A.p  v  p'9 

Subcase,  p  =  Vaq  . . .  xn.  (p'  g\, ... ,  gm ).  Then  n  =  m  =  0,  and  p'9  =  p'  =  p.  To  show: 

A  hp  p.  This  is  already  given  as  an  assumption  in  the  statement  of  the  theorem. 

Subcase.  p^Mx  1 .  ..xn.  (p'  :-  gi, . .  .,gm).  Hence  (Vaq  ...xn.  {p'  :-  gi, . .  .,gm))  G  A.  To 
show:  A  hp  p'6. 

1.  (A,pHp  gi,0)ie{ (i.h.  on  3rd  premise,  m  times) 

2.  A  hp  p'9  (Rule  (be)  on  1  and  (Vaq  . . .  xn.  ( p '  :-  <71, .. .  ,gm ))  £  A) 


□ 

We  also  need  an  inversion  lemma  about  derivations  in  BL5. 

k 

Lemma  A. 7  (Strong  inversion  for  (AR)).  If  S;T  — >  si  A  S2  in  BLg,  then  for  i  =  1,2, 
k 

S;  T  — >  Si  by  a  shorter  or  equal  derivation. 

k 

Proof.  By  induction  on  the  given  derivation  of  £;  T  — »  si  A  S2-  □ 

Definition  A. 8  (Regular  sequents).  We  call  a  BLs  sequent  regular  if  it  has  the  form 
,  k 

•;  S,  0  — >  7,  where 
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1 .  7  =  p  or  7  =  k!  says  p 


2.  S  contains  only  hypotheses  of  the  form  ki  claims  rCjn 

3.  0  contains  only  hypotheses  of  one  of  the  following  two  forms: 


(a)  Atomic  formulas  p 

(b)  \/x.  ((r<7in  A  ...  A  rgrn~')  D  p),  such  that  for  some  y  and  substitution  9,  (k  claims 
Vy,  x.  ((ry'r  A  ...  A  rg'mn)  D  p'))  G  S,  g'9  =  g{  for  each  i,  and  p'O  =  p. 


Definition  A. 9  (Inverse  translation).  The  inverse  translation  |  •  |  from  regular  sequents 
and  their  components  to  SL,  and  a  subsidiary  translation  |  •  |j.  on  hypotheses  are  defined  as 
follows. 


\P\ 

|  k  says  p  \ 


|0| 

■;s,0^7l 


p 

k  says  p 

(Jfc  k  :  (c  I  k  claims  rcn  G  H} 
U{c  |  k  claims  rcn  G  H} 

{p  |  p  G  0} 

lsl k,  l@l  i-|h|  ItI 


Lemma  A.  10  (Simulation).  Let 
|H|fc,  | © |  h|2|  |7|  is  provable  in  SL. 


•;S,@  — >  7  be  regular  and  provable  in  BL$ ■  Then 


.  k 

Proof.  By  induction  on  the  depth  of  the  given  sequent  calculus  proof  of  •;  E.  0  —>7  and  case 
analysis  of  its  last  rule.  Some  representative  cases  are  shown  here.  We  often  use  parantheses 
in  the  hypotheses  to  separate  assumptions  in  E  from  those  in  0. 


Case.  - - — init 

-,E,(Q,p)^p 

To  show:  |S|fc,  |0|,p  h|H|  p. 

This  follows  immediately  by  rule  (be)  on  principal  formula  p. 

■  b  k  h  k0  •;  (S,  k  claims  rcn),  (0,  rcn)  7 
Case.  - - - claims 

•;  (S,  k  claims  rcn),  0  7 

By  our  assumption  on  principals,  k  =  ko .  To  show:  |S|fc,c,  |0|  h|=|  I7I 

Subcase,  c  =  p. 

1.  |E|fc,  c,  |  ©  | ,  c  h|=|  I7I  (i.h.  onpremise) 

2.  |E|fc,c,  | © |  hini  I7I  (Contraction  Lemma  A. 6  on  1) 

Subcase,  c  7^  p 

1.  |E|fe,  c,  |0|  h|s|  |7|  (i.h.  onpremise) 
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Case. 


•;S|,0| 


p 


■;  S,  0  k  says  p 
To  show:  |S|fc0,  |0|  hiS|  k  says  p 

1.  S|  =  S  and  0|  =  ■ 

2.  -,z.^p 
3-  |H|fc  I  |s|  P 

4.  k  :  |^|fc  G  |^| 

5.  |S|feo,|@|  h|S|  k  says  p 


-saysR 


(Defn.) 

(premise  and  1) 
(idr.  on  2) 
(Defn.) 
(Rule  (says)  on  4,3) 


Case. 


•;  E,  0,  (r5r  A  ...  A  rymn)  dp-*  (ryin  A  ...  A  rymn) 
•;E,0,(ryin  A...  Arymn)  dp,pi  7 


OL 


•;  E,  0,  (r£fin  A  ...  A  rymn)  dp-*7 
Subcase,  mn  =  0.  To  show:  |S|fc,  |0|,y  P|=|  It| 

1.  |H|fc,|0|,p,pl-|E|  |tI 

2.  |E|fe,  |0|,y  I  |s|  ItI 


(i.h.  on  2nd  premise) 
(Contraction  Lemma  A. 6  on  1) 


Subcase,  m/0.  To  show:  |E|fc,  |0|  hisi  |'y|. 

By  regularity,  there  must  be  some  y  and  9  such  that  k  claims  (Vy.  ((ry(n  A  ...  A  rg!m~l)  D 
p'))  G  E  and  g[0  =  y*  and  =  p.  This  also  implies  that  (Vy.  (j/  :-  y^, . . .  ,g'm))  G  |E|fc. 


1.  •;  E,  0,  (ryin  A  ...  A  rgm')  A  P 


rPin 


2. 

3. 

4. 

5. 

6. 


E|fc,  |0|  P|h|  gi 

E|fc,  |©|  I  |h|  sfiO 
E|fc,  |0|  P|H|  P'S 
E|fc,  |©|  I  |s|  P 
E|fc,  |0|,y  P|h|  h 


7.  |S|fc,  |0|  h|S| 


(Lemma  A. 7  on  1st  premise) 
(i.h.  on  1) 

{9i,S  =  gi) 

(Rule  (be)  on  3;  (Vy.  {p'  :-  g[, . .  -,g'm))  G  |5|fc) 

{p's  =  p) 
(i.h.  on  2nd  premise) 
(Substitution  Lemma  A. 6  on  5,6) 


Case. 


■;  E,  0,  Vx,  x'.((ryr  A  ...  A  rym^)  D  p),  (Vx'.((ryr  A  ...  A  rym^)  D  p))[t/x]A  7 


VL 


•;E,0,Vx,x'.((ryr  A  ...  A  rymn)  dp)-*  7 
To  show:  |5|fc,  |0|  h|S|  |-y| 


First  observe  that  the  premise  is  regular.  Then,  the  required  statement  follows  by  i.h. 
on  the  premise.  □ 
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,p->p 


-init 


E;r 


s;r 


E;  T  — >  s  A  s' 


-AR 


j,  j.  ,  o  o  < 


E;r,sAs'-»r 


-AL 


E;  T  — >  s 

- ! - 7VR1 

E;r->sVs' 


E;  T  ->  s' 


S;  r  — ■»  s  V  s' 
:TR 


7VR2 


E;  T  — >  T 


E;r,sVs',s->r  E;  T,  s  V  s',  s'  ->  r 
E;T,s  V  s'  — >  r 

-_LL 


E; I\ _L  — >  r~ 


S;  T,  s  — >  s' 

E;  T  — >  s  D  s' 

E,  a;:cr;  r  — ■>  s 


DR 


VR 


E;  T,  s  D  s' 


E;  T,  s  D  s  ,  s 


E;  r  — >  \/x:a.s 

E;T  — >  s[i/x]  E  h  i  :  a 
E;  r  — »  3 x\o.s 


E;  T,  s  D  s'  ->  r 

E;  T,\/x:a.s,  s[t/x]  — *  r  E  h  t  :  a 

E;  r,  Vx'.cr.s  — >  r 


OL 


VL 


3R 


E,  x:a\  r,  3x:cr.s,  s  — >  r 
E;  r,  3x :a.s  — >  r 


3L 


VL 


Figure  A.l:  Cut-free  sequent  calculus  for  intuitionistic  first-order  logic 


Theorem  A. 11  (Correctness;  Theorem  3.20).  Suppose  k  :  A  E  T.  Then,  A  hp  g  in  SL  if 
and  only  if  •;  rrn,  rAn  — ►  ’“g”1  m  5L5. 

Proof.  Suppose  A  hp  g.  By  Lemma  A. 5,  we  get  for  any  fresh  variable  x  that 
x: principal;  rrn,  rAn  -A  rgn.  By  Theorem  3.7,  •;rr~l,rA~1  A  rgn. 

k 

Conversely,  suppose  -;rrn,rAn  — »  rgn.  Since  k  :  A  e  T,  this  is  a  regular  sequent. 
Hence  by  Lemma  A. 10,  we  must  have  |rrn|fc,  |rAn|  h|rp-i|  |r g^\.  Next  observe  that  because 
k  :  A  €  r,  |rrn|fc  =  A.  Further  by  definition,  A  D  |rAn|.  Therefore,  using  contraction 
(Theorem  3.8),  we  get  A  h|rp-i|  |rgn|.  Finally,  |rrn|  =  T  and  |rgn|  =  g.  Therefore,  A  hp  g. 

□ 


A. 5  Proofs  from  §3.6 

In  this  section  we  prove  Theorem  3.21,  which  states  that  the  translation  [•]  from  the  Horn 
fragment  of  BLg  (Figure  3.8)  to  first-order  logic  is  sound  and  complete.  We  use  the  fairly 
standard  sequent  calculus  for  first-order  logic  shown  in  Figure  A.l.  This  sequent  calculus 
admits  the  usual  structural  properties  of  weakening  and  contraction  as  well  as  the  cut 
principle. 

If  p  =  P  t\  . . .  tn  is  an  atomic  formula,  we  write  p  k  as  an  abbreviation  for  P  k  t\  . . .  tn. 
We  start  by  proving  an  important  lemma  about  the  translation,  which  is  needed  in  the 
proof  of  soundness. 
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k 

Lemma  A. 12  (Soundness).  If  a  sequent  E;  A,S  — »  g  in  the  Horn  fragment  is  provable  in 
BLs  then  its  translation  E;  [A],  [E]*.  — *  [g]*,  in  first- order  logic. 

k 

Proof.  By  induction  on  the  given  derivation  of  E;  A  — ■>  g  and  case  analysis  of  the  last  rule 
in  it.  Some  representative  cases  are  shown  here.  Note  that  many  of  the  cases  do  not  apply 
at  all  due  to  syntactic  restrictions  on  g  and  S. 


-init 


Case.  - 

E;  A,  E,p  -A  p 

To  show:  E;  [A],  [[E]fc,p  k  —>■  p  k 

This  follows  immediately  from  rule  (init)  in  first-order  logic. 

E  h  k  >-  ko  E;  A,  k  claims  d,  S,  d  -^A  g 
Case.  - - - claims 

E;  r,  k  claims  d,  E  —A  g 

By  assumption  on  A,  we  must  have  k  =  ko-  To  show:  E;  [AJ, 


1.  E;[A],[d]fe,[S]fe,[d]fe^Mfc 

2.  E;[A],[cqfc>|5]fc-k]Jfc 


Case. 


S;  A,  E 


E;A,E  hg' 


AR 


E;  A,  5  ->  g  Ag' 

To  show:  E;  [A] ,  [S]fc  ->  lgjk  A  lg% 

1.  E;  [A] ,  [E]fe  — >  [[<?]*; 

2.  E;[A],[E]fc -►[]>']* 

3.  E;[A],[S]fc->MfcA[5']fc 

E;A,E  ,gDd^g  E;  A,  5,  g  D  d,  d  -A  g' 

Case.  - - - DL 

E;  A,E,g  D  d  -»  g' 

To  show:  E;  [A] ,  [S]fc,  {gjk  D  [d]fc  ->  \g' ]fe 

1.  E;  [A] ,  [E]fc,  {gjk  D  {djk  ->  lg}k 

2.  E;[A],[S]A;,[5]fcD[d]fc,[Ci]fc-,[5/]fc 

3.  E;[A],[E]fc,[5]fcD[d]fc-,[5lfc 


Case. 


E;  A| ,  E| 


ko 


-saysR 


E;  A,  E  —A  k  says  g 
To  show:  E;  [AJ,  [S]fco  • 


->■  1151  fc 

(i.h.  on  premise) 
(Contraction  on  1) 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (AR)  on  1,2) 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (dL)  on  1,2) 
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(premise,  A|  =  A,  H|  =  •) 
(i.h.  on  1) 
(Weakening  on  2) 

□ 

Lemma  A. 13  (Completeness).  If  E;  [di]^, . . . ,  [dn]fcn  — >  [g]*,  is  provable  in  first-order 

k 

logic,  then  E;  k\  claims  d\, . . . ,  kn  claims  dn  — >  g  is  provable  in  BLg. 

Proof.  We  perform  a  lexicographic  induction,  first  on  the  given  derivation  of 
E;  [dijfcj, . . . ,  [dn] kn  — y  and  then  on  the  structure  of  g.  We  perform  a  case  analy¬ 

sis  on  the  principal  formula  of  the  last  rule  in  the  derivation.  Let  0  denote  a  hypotheses  of 
the  form  [di]fc15 . . . ,  [dn]fc„,  and  |0|  denote  k\  claims  d\, . . . ,  kn  claims  dn. 

Case.  Principal  formula  of  the  last  rule  is  atomic.  Then  the  derivation  must  have  the  form: 
v  n  7  I, - (because  Mk  =  fo'lfc') 

S;0,  Mk  -»■  M>h' 

Since,  (p  k )  =  {p}k  =  \p'\k'  =  ( P '  k') ,  we  must  have  p  =  p'  and  k  =  k' .  Therefore  we 

k 

must  show  that  E;  |0|,  k  claims  p  — >  p.  This  follows  from  rule  (claims). 

Case.  Principal  formula  of  the  last  rule  appears  on  the  left.  Hence  the  last  rule  must  be  a 
left  rule,  and  the  principal  formula  must  have  the  form  [d]*./.  Now  we  case  analyze  d. 

Subcase,  d  =  p.  This  is  already  covered  in  the  first  case. 

Subcase,  d  =  Vxaj.d7.  Then  the  derivation  must  have  the  form: 

T,;Q,\/x:a.ld!jkf,ld'Jk'[t/x]  ->  {gjk  Eh  t  :  a 
- 7 - VL 

E;0,Vx:cr.[d]fc/  ->  {gjk 

To  show:  E;  |0|,  k'  claims  \/x:a.d'  g 

1.  E;  |@|,  k'  claims  \/x:a.d',  k!  claims  d'[t/x\  — ►  g 

2.  E;  |0|,  k'  claims  \/x:a.d' ,Vx:a.d' ,  d'[t/x\  —>  d'[t/x\ 

3.  E;  |0|,  k’  claims  \/x:a.d' ,\/x:a.d’  d'[t/x\ 

4.  E;  |0|,  k'  claims  \/x:a.d'  d'[t/x\ 

5.  E;  (|0|,  k1  claims  'ix\a.d')\  d'\t/x\ 

(4;  (|0|,  k'  claims  Va;:£7.d,)| 


(i.h.  on  premise) 
(Theorem  3.11) 
(Rule  (VL)  on  2) 
(Rule  (claims)  on  3) 

=  |© | ,  k'  claims  \/x:a.d') 


1.  S;A  ^g 

2.  E;  [A]  ->  \gjk 

3.  E;  [A],  [£]feo ->[<?]* 
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6.  E;  | © | ,  k'  claims  Mx-.a.d!  g  (Theorem  3.10  on  5,1) 

Subcase,  d  =  g'  D  d' .  Then  the  derivation  must  have  the  form: 

Q;  Wh1  a  jd'jk1  -» jg'jk1  o,  jg'h'  a  KIU'  ->  [g]fc 
s;  Is'lfc'  D  [d'Jfc'  ->  [5]fc 
To  show:  E;  | © | ,  fc7  claims  (g7  D  d')  i  3 


1.  E;  |0|,  A:7  claims  (5'  D  d7)  </ 

2.  E;  | ©| ,  A:7  claims  {g'  D  d7),  A:7  claims  dy 

3.  E;  | ©| ,  A:7  claims  ( g 7  D  d'),g'  D  d' ,  d'  — > 

4.  E;  | ©| ,  A:7  claims  (5'  D  d7),  g'  D  d'  —>■  d' 

5.  E;  | ©| ,  A:7  claims  (g'  D  d')  —>■  d' 

6.  E;  (|0|,  A:7  claims  (</  D  d7))|  —>■  d' 


(i.h.  on  1st  premise) 
■  g  (i.h.  on  2nd  premise) 

d7  (Theorem  3.11) 

(Rule  (DL)  on  1,3) 
(Rule  (claims)  on  4) 


(5;  ( I© | ,  A:7  claims  (</  D  d7))|  =  |0|,A;7  claims  (</  D  d7)) 
7.  E;  | © | ,  k’  claims  (</  D  d7)  i  j  (Theorem  3.10  on  6,2) 

Subcase,  d  =  T  does  not  arise  since  there  is  no  left  rule  for  T. 

Subcase,  d  =  di  A  d2  is  similar  to  the  subcase  d  =  g'  D  d7. 

Case.  Principal  formula  of  the  last  rule  appears  on  the  right.  Hence  the  last  rule  must  a 
right  rule,  and  the  principal  formula  is  {g}k.  We  now  case  analyze  the  form  of  g. 

Subcase,  g  =  p.  This  is  already  covered  in  the  first  case. 

Subcase,  g  =  k!  says  g' .  Let  the  given  derivation  prove  E;  0  — >  [A:7  says  g'}k.  Then  we  have 
to  show  that  E;  |0|  A:7  says  g’ . 


1.  E;  0  ->  {g'\k,  (Assumption;  [A;7  says  g'jk  =  lg%>) 

2.  E;  | © |  g'  (i.h.  on  1,  smaller  gr) 

3.  E;(|0|)|  ^g' 

4.  E;  (|0|)|  h  k'  says  g 7 
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(2;  ( I© | ) |  =  | © | ) 

(Rule  (saysR)  on  3) 


Appendix  A.  Proofs  and  Other  Details  from  §3 


Subcase,  g  =  g\  A  <72-  The  derivation  must  have  the  form: 

S;0->[5l]fc  E;©-^]* 

- = - - - A  JA, 

S;0  ->  Igi  Ay2]fc 
To  show:  E;  |0|  A  <71  A  <72 
k 

1.  E;  | © |  — ■>  51  (i.h.  on  1st  premise) 

2.  E;  | © |  A  g2  (i.h.  on  2nd  premise) 

3.  E;  | © |  A  g1  A  (72  (Rule  (AR)  on  1,2) 

Subcases  for  the  remaining  forms  of  g  are  similar  to  the  subcase  g  =  g\  A  g2 . 

□ 

Theorem  A. 14  (Correctness  of  Translation;  Theorem  3.21).  Let  E;  A,E  — *  g  be  a  sequent 

in  the  Horn  fragment  of  BLg  and  assume  that  for  each  d  E  H,  k  claims  d  E  A.  Then 
k 

E;  A,  S  — >  g  is  provable  in  BLg  if  and  only  if  its  translation  E;  [A],  [E]*,  — >  {g}k  is  provable 
in  first-order  logic. 

k 

Proof.  Suppose  E;  A,  E  — »  g  is  provable  in  BL5.  Then  by  Lemma  A. 12,  E;  [A] ,  [E]*,  — *  [g]*,. 
Conversely,  suppose  that  E;  [A],  [E]fc  — >  [#]&,  and  assume  that 

1 .  u  =  d\ , . . . ,  dn 

2.  A  =  {k  claims  di,...,k  claims  dn }  U  {k[  claims  d\ , . . . ,  k'm  claims  d'm} 

Then  [E]fc  =  [di]fc, . . . ,  \dn]k  and  [A]  =  [di]fc, . . . ,  KJfc,  KJfc',  •  ■  - ,  Hence  the 

given  derivation  proves: 

A  [Alfc,  •  ■  • ,  \dv\ki  [Alfcp  •  •  ■  >  [AlfcL’  ■  ■  • )  Idnjk  — > 

By  contraction  in  first-order  logic,  there  must  also  be  a  derivation  of 

A  [A]fc,  •  •  ■ ,  [dn]| it,  [Alfc;,  •  •  • ,  [AJa4  — >  lgjk 
Hence  by  Lemma  A.  13,  there  is  a  BL5  derivation  of 

E;  k  claims  d\, . . .  ,k  claims  dn.  k[  claims  d\ , . . . ,  k'm  claims  d!m  A  g 
or  equivalently,  there  is  a  derivation  of 

S;A  A  g 

By  weakening  (Theorem  3.8),  there  must  also  be  a  derivation  of 

E;A,S  A  g 

n 
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Proofs  from  §4 


B.l  Proofs  from  §4.2.3 


Lemma  B.l  (Constraint  substitution).  Suppose  the  following  hold: 

1.  E;  \I>,  co;  E;T  \~u  s  o  [u\,U2] 

2.  E;  |=  co 

Then,  S;4,;_E;r  Pso  [u\,U2]  by  a  derivation  of  shorter  or  equal  depth. 

Proof.  By  induction  on  the  given  derivation  of  E;  'F,  co;  E\  T  \~u  s  o  \u\,  u-f\,  and  case  anal¬ 
ysis  of  its  last  rule.  The  interesting  cases  are  rules  where  E;  'h  |=  •  is  used  in  one  of  the 
premises.  In  such  cases,  we  appeal  to  the  assumption  (C-cut)  from  §4.2.1.  For  the  remain¬ 
ing  rules,  we  just  apply  the  induction  hypothesis  to  the  premises,  and  reapply  the  rule  to 
the  modified  premises.  We  show  one  of  the  interesting  cases  here. 


1.  E;  \F  |=  c0 

2.  E;  \F  |=  u\  <  u\ 

3.  E;  \F  |=  U2  <  u'2 

4.  E;  \h;  E;  T,  s  o  [u^,  u'2\  \~u  s  o  [ui,  112] 


((C-cut)  on  1  and  1st  premise) 
((C-cut)  on  1  and  2nd  premise) 


(Rule  (hyp)  on  2,3) 


(Assumption) 


□ 


Theorem  B.2  (Time  subsumption;  Theorem  4.4).  Suppose  the  following  hold: 


1.  E;  'h;  E;  T  s  o  [ui,  U2] 

2.  E;  'h  |=  u\  <  un 
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3.  £;  \k  |=  um  '  ■  u2 
Then  S;  *k;  E;  T  H* 1'  s  o  [un,  um] 

Proof.  By  induction  on  the  depth  of  the  given  derivation  of  S;  \k;  E;  T  \~v  s  o  [ui,u2]  and 
case  analysis  of  its  last  rule.  Some  representative  and  interesting  cases  are  shown  below. 


Case 


£;\k;E;T  \~u  s\  o  [ui,u2]  £;\k;i?;r  \~u  s2  0  [i*i ,  1*2] 


£;  \k;  E ;  T  \~u  si  A  s2  o  [m,  u2] 
To  show:  £;  \k;  E;  T  'r1'  si  A  s2  o  [un,  um] 


AI 


1.  h1 3 * 5 6'  s  1  o  [un,um] 

2.  S;$;fi;TP  s2o  [un,um] 

3.  siAs2o[an,«m] 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (Al)  on  1  and  2) 


^  £,xi:time,  x2:time;\k,'iti  <  xi,x2  <  u2;-E;T,  si  o  [xi,x2l  P7 8 9  s2  o  [xi,x2] 

Case.  - - - - - Dl 

£;  \k;E;T  K  si  3  s2  o  [iti,rt2] 


To  show:  £;  \k;  E\  T  h"  si  D  s2  o  [ un ,  um\ 


1.  £;  <k  |=  ui  < 

2.  £;  'h,  un  <  x\  \=  u\  <  un 

3.  £;  'h,  un  <  x\  \=  un  <  x\ 

4.  £;  \k,  un  <  x\  |=  «i  <  xi 


(Assumption  2) 
((C-weaken)  from  §4.2.1  on  1) 
((C-hyp)  from  §4.2.1) 
((C-trans-time)  from  §4.2.1  on  2,3) 


5.  £,  xptime,  x2:time;  'k,  u\  <  x\,x2  <  tt2;  E\  T,  si  o  [x\,x2]  \~u  s2  o  [xi,  x2] 

(premise) 

6.  £,  xptime,  x2:time;  \k,  un  <  x  1,  x2  <  u2;  E\  T,  si  o  [xi,  x2]  \~v  s2  o  [xi,  x2] 

(Lemma  B.l  on  4,5) 

7.  £;  \k,  x2  <  um  |=  x2  <  u2  (Similar  to  4) 

8.  £,  xi:time,  x2:time;  \k,  un  <  xi,  x2  <  um ;  E\  T,  si  o  [xi,  x2]  h"  s2  o  [xi,  x2] 

(Lemma  B.l  on  7,6) 

9.  £;\k;E;r  \~u  si  3  s2  o  [un,  um]  (Rule  (Dl)  on  8) 

£;  *k;  E;  T  h"  si  D  s2  o  [it) ,  ii2] 

£;  \k;  E\  T  h1'  si  o  (ui,  u2]  £;  T  |=  u\  <  u\  £;  'k  |=  u2  <  u2 

Case.  - - - 1 - 1 - I)E 

£;  \k;  E;T  h  s2  o  [ui,u2\ 

To  show:  E;f;£;TP  s2o[an,um] 
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1.  E;  'P  (=  u\  <  un 

2.  E;  'I'  1=  u\  <  un 

3.  £;  \P  |=  um  A  u2 

4.  £5  IP  |=  um  "  1 

5.  £;  IP;  E;  T  h"  si  o  [un,  um] 

6.  E^L^T  b"  s2  o  [un,um\ 


(Assumption  2) 

((C-trans-time)  from  §4.2.1  on  1  and  3rd  premise) 

(Assumption  3) 

((C-trans-tinre)  from  §4.2.1  on  3  and  4th  premise) 

(i.h.  on  premise) 
(Rule  (DE)  on  1st  premise  and  2,4,5) 


^  E;^;E;r|  A’U1’“2  so  [Ul,u2} 

Case.  - - - - - -saysl 

£;  'P;  E\T  \~  k  says  so  [m,  u2\ 

To  show:  E;  'P;  E\  T  \~v  k  says  s  o  [un,  um\ 

1.  E;  \P  1=  k  y  k 

2.  E;  'P  |=  <  un 

3.  £;  IP  |=  um  '  ■  u2 

k,Un,Um  g  0  [UliU 2] 


4.  E;^;£?;r|  b 


5.  E;  'P;  E;  T|  h 


fc’Wm  s  Q 
6.  E;  'P;  E;  T  b"  k  says  s  o  [un,  um] 


((C-refl-prin)  from  §4.2.1) 
(Assumption  2) 
(Assumption  3) 
(Theorem  4.3  on  1,2,3  and  premise) 

(i.h.  on  4) 
(Rule  (saysl)  on  5) 
□ 


B.2  Proofs  from  §4.2.5 

Lemma  B.3  (Constraint  substitution).  Suppose  the  following  hold: 

1.  E;  4/,  c0;  E\  T  As  o  [ui,u2] 

2.  E;  <P  |=  c0 

Then,  E;^;^;T  A  s  o  [«i,w2]  by  a  derivation  of  shorter  or  equal  depth. 

Proof.  By  induction  on  the  given  derivation  of  E;  \P,  co;  E\  T  Aso  [u\,u2],  and  case  anal¬ 
ysis  of  its  last  rule.  The  interesting  cases  are  rules  where  £;  \P  |=  •  is  used  in  one  of  the 
premises.  In  such  cases,  we  appeal  to  the  assumption  (C-cut)  from  §4.2.1.  We  show  one  of 
the  interesting  cases  here. 


E;  T,c0  |=  u\  <  u\  E;  \P,  c0  \=u2  <u'2. 

Case.  - - — - — - mit 

S;^,co;E;r,po  [iti,it2]  o  [ui,u2] 


1.  E;  'P  |=  c0 


(Assumption) 
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2.  E;  |=  u\  <  u\ 

3.  E;  VP  |=  <  u2 

4.  T,-,^]E;T,p  o  [mi,m'2]  ^  p  o  [ui,u2] 


((C-cut)  on  1  and  1st  premise) 
((C-cut)  on  1  and  2nd  premise) 
(Rule  (hyp)  on  2,3) 
□ 

Theorem  B.4  (Time  subsumption;  Theorem  4.11).  Suppose  the  following  hold: 

1.  E;$;i?;rAso  [mi,  m2] 

2.  E;  4/  |=  <  un 

3.  E;  \k  |=  um  Si  u2 

Then  E;  \k;  E\  T  -^so  [un,  um\. 

Proof.  By  induction  on  the  depth  of  the  given  derivation  of  E;\k;.E;r  s  o  [mi,M2]  and 
case  analysis  of  its  last  rule.  Some  representative  and  interesting  cases  are  shown  below. 

T,;'jf;E;T  A  Sl  o  [ui,u2]  E;  E;  T  A  s2  °  [ui,  u2\ 

Case.  - - - AR 

E;  VP;  T 


si  A  s2  o  [mi,m2] 
To  show:  E;  'h;  E;  T  —>■  s\  A  s2  o  [un,  um] 

1.  E;  'h;  Pi;  r  A  s\  o  [un,um] 

S2  °  \Uni  Um] 


2.  E;  VP;  iE;  r 


3.  E;  'h;  Pi;  r 


Sl  A  S2  O  [un,Um] 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Rule  (AR)  on  1  and  2) 


^  E,a;i:time,  x2:time;4,,Mi  <  xi,x2  <  M2;£i;r,  si  o  [xi,x2]  A  s2  o  bi,x2]  ^ 

Case.  - - - I)R 

E;  4>;E;  T  —>  si  D  s2  o  [mi,m2] 

To  show:  E;  VP ;  E;  T  —>  s\  D  s2  o  [un,  um] 


1.  E;  4/  |=  Mi  <  un 

2.  E;  'h,  Un  <  X\  |=  MI  <  Un 

3.  E;  \h,  un  <  x'i  |=  un  <  xi 

4.  E;  4t,  un  <  x'i  |=  Mi  <  x\ 


(Assumption  2) 
((C-weaken)  from  §4.2.1  on  1) 
((C-hyp)  from  §4.2.1) 
((C-trans-time)  from  §4.2.1  on  2,3) 


5.  E,  centime,  x2:time;  'k,  mi  <  x\,x2  <  m2;  E\  T,  si  o  [x\,  x2]  s2  o  [x\,  x2\ 


(premise) 


6.  E,  xptime,  x2:time;  4/,  un  <xi,x2<  m2;  E;  P,  si  o  [xi,  x2]  A  s2  o  [xi,  x2] 
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(Lemma  B.3  on  4,5) 

7.  X;  \I/,  X2  <  um  |=  x2  <  zt2  (Similar  to  4) 

8.  X,  centime,  x2:time;  'L,  un  <  x i, x2  <  um;  E;  T,  si  o  [xi,  x2]  A  s2  o  [xr,  x2] 

(Lemma  B.3  on  7,6) 

9.  -»  Si  3  s2  o 


(Rule  (dR)  on  8) 


Case 


X;  E;  T,  si  3  s2  o  [n'i,  u2]  —>  s\  o  [it",  u2 ] 

X;  E; T,  si  3  s2  o  [u'1,v!2],S2  o  [u",  *4']  A  s  o  [m,  u2\ 
X;  |=  u'i  <  u"  X;  'L  |=  u2  <  i4 


I)L 


X;  ^;E-,T,si  D  s2  o  [u) ,  u'2]  Aso  [«i,w2] 

To  show:  X;  \H;  E;  T,  si  3  s2  o  [u\ ,  u2\  —>  s  o  [rtn,  um] 

1.  X;  'L;  E]  T,  si  3  s2  o  [vi) ,  u'2\ ,  s2  o  [u'{,  u2\  —>  s  o  [un,  um\  (i.h.  on  2nd  premise) 

2.  X;  E-  T,  si  3  s2  o  [u[,u2]  A  s  o  [u 

m  ^m] 

(Rule  (dL)  on  1st  premise,  1,  3rd  premise,  4th  premise) 
Case.  - 77 - - - saysR 


X;  \H;  E;  T  — *  k  says  s  o  [m,  u2] 

To  show:  X;  'L;  E\  T  — >  k  says  s  o  (un,  um\ 

1. 

2.  X;  'L  |=  ui  <  un 

3.  X;  41  |=  um  '  ■  u2 


4.  X;^;E;T 


->  s  o  [tti,  u2j 


C7  iTr  IT  T'  I  f 

5.  X;  4/;  E]  1  |  - »  s  o  [un,  uTi 


6.  X;  4';  E]  T  A-  k  says  s  o  (un,  um\ 


((C-refl-prin)  from  §4.2.1) 
(Assumption  2) 
(Assumption  3) 

(Theorem  4.10  on  1,2,3  and  premise) 

(i.h.  on  5) 
(Rule  (saysR)  on  6) 


□ 

Lemma  B.5  (Interpreted  atom  substitution).  Suppose  the  following  hold: 

1.  X;  VH;  E,r,  T  A  s  o  [ui,  u2] 

2.  X;  E  \=  i 

Then,  X;\H;.E;r  -^so  [«i,u2]  by  a  derivation  of  shorter  or  equal  depth. 
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Proof.  By  induction  on  the  given  derivation  of  E;  \k;  E,  z;  T  A  s  o  [«i,  u2 ],  and  case  analysis 
of  its  last  rule.  The  only  interesting  case  is  rule  (interR)  where  we  appeal  to  the  assumption 
(S-cut)  from  §4.2.1.  This  case  is  shown  below. 


— - interR 

i  o  [ui,u2\ 

V  ^i'  o  [ui,  u2\ 


To  show:  E;\k;.E;r 


1.  H-E  \=i' 

2.  E;  \k;  E]  T  i'  o  [m,  u2\ 


((S-cut)  from  §4.2.1  on  premise  and  assumption  2) 

(Rule  (interR)  on  1) 


□ 


Theorem  B.6  (Admissibility  of  cut;  Theorem  4.12).  The  following  two  properties  hold: 
1.  Suppose  that 


(a)  E;  'h;  E\  T  A  s  o  [m,  u2\  and 

(b)  E ■'Sr1E-T,s  o  [ui,u2\  ^  s'  o  [u'^u^l 

Then  E;  \k;  E;  T  A  s'  o  [-«( .  u'2]. 


2.  Suppose  that 

(a)  E;^;£;r|  s  o  [uuu2] 

(b)  S;  \R;  iT;  T,  k  claims  s  o  [u\,u2]  —>  s'  o  [u\ .  u'2\ 

Then  E;  E]  T  —>  s'  o  [n^,  u'2j. 

Proof.  Both  (1)  and  (2)  are  proved  by  a  simultaneous  lexicographic  induction,  first  on  the 
size  of  the  cut  formula  s,  then  on  the  order  (2)  >  (1)  on  the  hypotheses,  and  then  on  the 
depths  of  the  two  given  derivations.  Let  T>  denote  the  derivation  in  (a)  and  let  £  denote 
the  derivation  in  (b). 

Proof  of  (1).  For  proving  (1)  we  case  analyze  the  last  rules  in  T>  and  £  and  distinguish 
four  sets  of  cases,  in  addition  to  the  special  case  where  £  ends  in  (init):  (A)  T>  ends  in  a 
left  rule,  (B)  £  ends  in  a  right  rule,  (C)  £  ends  in  a  left  rule  but  the  judgment  being  cut  is 
not  principal  in  the  rule,  and  (D)  £  ends  in  a  left  rule,  T>  ends  in  a  right  rule  and  the  cut 
judgment  is  principal.  The  reader  may  easily  check  that  these  sets  of  cases  are  exhaustive.1 
The  cases  in  (A),  (B),  and  (C)  are  straightforward.  We  show  here  the  cases  where  £  ends 
in  (init),  and  some  of  the  cases  in  (D). 


1Note  that  we  do  not  need  to  explicitly  consider  the  case  where  T>  ends  in  rule  (init).  This  is  a  consequence 
of  restricting  the  (init)  rule  to  uninterpreted  atoms.  If  we  were  to  generalize  the  (init)  rule  to  arbitrary 
formulas,  then  an  explicit  consideration  of  this  case  would  be  necessary. 
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X;  ^  N  ui  <  u'{  s;  ^  1=  u2  <  «2 . 

Case.  £  = - - — - — - - — — nut 

S;^;P;r,po  K,«2]  -^po  K,^2] 

Subcase.  The  cut  judgment  is  not  p  o  [uj ,  it2] .  So  let  T  =  T',s  o  [iti ,  1*2]  and  let  the 
judgment  being  cut  be  s  o  [iti,tt2].  To  show:  X;  ’4';  Pi;  T',p  o  \u\ ,  u'2]  ^po  [it" ,  u2]  •  This 
follows  by  rule  (init)  on  the  premises  of  the  given  derivation. 

Subcase.  The  cut  judgment  is  p  o  [u\ ,  u'2] .  So  P  proves  X;\H;Pi;r  —>  p  o  [u\ ,  u'2] .  To 
show:  X;  \h;  Pi;  T  ^po  [u'{,  u”]-  This  follows  by  Theorem  4.11  on  the  derivation  P. 


X;^;P;T|  k-u--u-h  s  o  [ui,u2] 

Case.  P  =  - —  J  saysR 


X;  \h;  E;  T  — >  k  says  s  o  [u\,u2] 

X;  'h;  Pi;  T,  k  says  s  o  [«i,  u2],  k  claims  so[«i,u2]^ro  [u\ .  r/2] 

£  =  - p - - — - - saysL 

X;  \H;  Pi;  T,  k  says  so  [ui,u2]  — >  r  o  [u\ ,  u2\ 

And  the  cut  judgment  is  fc  says  s  o  [«i,  it2].  To  show:  X;  Pi;  T  4ro  [rt^,  rt2]- 


1.  X;  Pi;  T,  P  claims  s  o  [rti,  rt2]  —>  r  o  [u\ ,  r/2] 


2.  X;  \H;  Pi;  T 


r  o 


(i.h.(l)  on  P  and  premise  of  £) 
(i.h.(2)  on  premise  of  P  and  1) 


The  use  of  the  i.h.  in  the  second  step  is  justified  because  the  cut  formula  s  is  strictly 
smaller  than  the  cut  formula  k  says  s  that  we  started  with. 


Case.  P  = 


X;fr;P;r^so  [<y2] 

X;  \h;  Pi;  T  A-  s  @  [u^,  u2]  o  [ui,  u2] 


-@R 


f  _  X;  Pi;  T,  s  @  [u'^u^l  o  [m,  m2],  a  o  Ki,  u2]  r  o  [<,  ?x2]  ^ 

X;  'L;  Pi;  r,  s  @  [rt^,  u2]  o  [ui,u2\  ^  r  o  [u",  n2] 

And  the  cut  judgment  is  s  @  [u'y ,  u2]  o  [«i,  k2].  To  show:  X;  'L;  Pi;  T  A  r  o  [u'{,  u2] . 


1.  X;  'h;  Pi;  T,  s  o  K,  ?4]  A  r  o  [«'/,  u'2'] 

2.  X;$;fi;rAro  [ujh  tt^] 

|=c 


(i.h.(l)  on  P  and  premise  of  £) 
(i.h.(l)  on  premise  of  P  and  1) 


Case.  P  =  - 


consR 


X;  \h;  Pi;  T  — >  c  o  [zti,  rt2] 

X;^,c;Pi;r,co  [«i,«2]  A  r  o  [u\,u'2] 

t  =  - j, - - — - — consL 

X;  41;  Pi;  r,  c  o  [ui,u2]  ->  r  o  [■u1)u2] 

And  the  cut  judgment  is  c  o  [«i,  u2}.  To  show:  X;  \H;  Pi;  T  o  [uj ,  u2]. 


1.  X;f,c;P;T  A  r  o  [uj ,  m2] 


2.  X;  'h;  Pi;  T  A  r  o  u2] 


(i.h.(l)  on  P  and  premise  of  £) 
(Lemma  B.3  on  premise  of  P  and  1) 
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S;PPi 

Case.  P  =  - - - interR 

—>  i  o  [ui,u2] 

E,i-,T,i  o  [u1:u2\  r  o  [u'x,v!2} 

t  =  - ^ - - — - — mterL 

E;  \k;  E;  T,  i  o  [111,112]  —>  r  o  [u1;  n2] 

And  the  cut  judgment  is  i  o  [iti,  u2],  To  show:  E;  'h;  E;  T  r  0  [uj ,  u2]. 


1.  E;  tit;  E,  i;  T  A  r  0  (i.h.(l)  on  P  and  premise  of  5) 

2.  E;  \k;  E;  T  ^  r  o  [u\ ,  it2]  (Lemma  B.5  on  premise  of  P  and  1) 


Proof  of  (2).  To  prove  (2)  we  case  analyze  the  last  rule  in  £.  There  is  only  one  interesting 
case,  which  we  show  here. 

E;  \H;  E:  r,  k  claims  so  [rq,  u2],  s  o  [iq,  u2]  ^  r  o  [iq ,  it2] 

i/  =  A:7,  Ub,  ue  E;  \k  |=  iq  <  Ub  E;  \k  |=  ue  <  u-2  E;  \k  |=  k  A  k' 

Case.  - - - - - - — - - claims 


E;  'L;  E:  L,  k  claims  s  o  [ui,u2]  — >  r  o  [?q ,  it2] 


V  proves  E;  'L;  E;  T| 


k,ui,u2 


*  s  o  [tq,  u2\.  To  show:  E;  'L;  E;  T  r  o  [u\ .  u'2\. 


1.  S;  E;  T,  s  o  [u\,u2]  r  0  [iij,rt'2] 


2.  E;  'L;  E;  r  s  o  [tq,u2] 


3.  E;  'L;  E;  r 


s  o  [ui,u2] 
4.  E;$;E;r^ro[u'4 


(i.h.(2)  on  P  and  1st  premise  of  £) 

(Weakening  Theorem  4.8  on  P) 
(Theorem  4.10  on  2) 
(i.h.(l)  on  3,1) 


Use  of  the  i.h.  in  the  last  step  is  justified  because  we  assume  the  ordering  (2)  >  (1) 
among  the  inductive  hypotheses.  Q 

Theorem  B.7  (Equivalence;  Theorem  4.14).  The  following  are  equivalent. 

1.  E;  \H;  E;  T  —>  s  o  [u\,u2]  in  the  sequent  calculus. 

2.  E;  \k;  E;  V  \~u  s  o  [tq,  u2]  in  natural  deduction. 

Proof.  We  prove  separately  that  (1)  =>■  (2)  and  (2)  =>■  (1). 


Proof  that  (1)  =>•  (2).  By  induction  on  the  depth  of  the  given  derivation  of  E;  'L;  E;  T  — > 
s  o  [rq,  u2],  and  case  analysis  of  its  last  rule.  The  cases  where  the  derivation  ends  in  a  right 
rule  (or  the  rule  (init))  are  uninteresting  -  we  apply  the  i.h.  to  sequents  in  the  premises 
and  use  the  corresponding  introduction  rule  (or  the  rule  (hyp))  in  natural  deduction.  We 
show  here  the  case  of  the  rule  (claims)  and  some  of  the  interesting  left  rules. 
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E;  E]  T,  k  claims  so  [ui,  1*2],  s  o  [ui,  u2]  r  o  [u\ .  'u2\ 

v  =  k' ,  Ub,  ue  E;  ’P  |=  u\  <  Ub  E;  4r  |=  ue  <  u2  E;  iH  |=  k  >z  k1 

Case.  - - - claims 

E;  'I';  E ;  T,  k  claims  s  o  [ui,  u2]  — >  r  o  [u\ ,  u'2] 

To  show:  E;  \h;  E;  T,  k  claims  so  [m,  U2]  Pro  [u( ,  ut2] 

1.  E;  E;  T,  k  claims  s  o  [ui,  u2],  s  o  [ui,  u2]  \~v  r  o  [ui,  u'2\  (i.h.  on  1st  premise) 

2.  E;  E\  T,  k  claims  s  o  [ui,  u2]  Pso  [ui,  U2}  (Rule  (claims)  in  natural  deduction) 

3.  E;  E;  T,  k  claims  s  o  [ui,  u2]  \~v  r  o  [ui,  u'2]  (Theorem  4.5  on  2,1) 

E;  E\  T,  k  says  s  o  [ui,  u2],  k  claims  s  o  [ui,  u2]  A  r  o  [u\ ,  u2] 

Case.  - - - - — - - — saysL 

E;  \H;  E\  T,  k  says  s  o  [ui,  u2]  — >  r  o  [ui,  u2] 

To  show:  E;  E\  T,  k  says  so  [ui,  u2]  Pro  [u\ ,  u2] 


1.  E;  E\  T,  A:  says  s  o  [ui,  u2]  k  says  s  o  [ui,  u2]  (Rule  (hyp)) 

2.  E;  E;  T,  k  says  s  o  [u\,  u2],  /c  claims  s  o  [u±,  u2]  Py  r  o  [ui,  u'2]  (i.h.  onpremise) 

3.  E;  \R;  E;  T,  k  says  s  o  [ui,  112}  Pro  [u( ,  u2]  (Rule  (saysE)  on  1,2) 

E;  E;  T,  s  @  K,  u'2]  o  [ui,  u2],  s  o  [ui,u'2]  r  o  [u'[,  u2] 

ise.  - - - @L 

E;  \h;  E\  T,  s  @  [u[,  u2]  o  [ui,  u2]  -*  r  o  [u",  u2] 

To  show:  E;  E;  T,  s  @  [ui,  u2]  o  [ui,  u2]  Pro  [u'{,  u2] 


1.  E;  E;  T,  s  @  [ui,  u2]  o  [ui,  u2]  P^  s  @  [ui,  u2]  o  [ui,  u2] 

2.  E;  E;  T,  s  @  [ui,  u2]  o  [ui,  u2],  s  o  [ui,  u2]  Pro  [u",  u2] 

3.  E;  E;  T,  s  @  [ui,  u'2\  o  [ui,  u2]  Pro  [u'{,  u2] 

E;$,c;£;T,co  [ui,u2]  A  r  o  [ui,u2] 

Case.  - - - - — - — consL 

E;  f;P;r,co  [ui,u2]  ->  r  o  [u1;u2] 

To  show:  E;  \P;  E\  T,  c  o  [ui,  u2]  Pro  [ui,  u2] 

1.  E;  \H;  E;  r,  c  o  [ui,  u2]  Pco  [ui,  u2] 

2.  E;  \H,  c;  P;T,co  [ui,  u2]  Pro  [ui ,  u'2] 

3.  E;  E;  T,  c  o  [ui,  u2]  Pro  [ui,  u'2] 

E;  \H;  E\  T,  si  D  s2  o  [ui,u2]  si  o  [ui,u'2] 

E;  E\ T,  si  3  s2  o  [ui,  u2],  s2  o  [ui,  u'2]  ^  r  o  [u{,  u2] 
E;  |=  ui  <  ui  E;  |=  u'2  <  u2 


Case. 


E;4r;E;T,si  D  s2  o  [ui,u2]  ->  r  o  [u1;u2] 
To  show:  E;  E;  T,  si  D  s2  o  [ui,  u2]  Pro  \u”,  u2] 


DL 


(Rule  (hyp)) 
(i.h.  on  premise) 
(Rule  (@E)  on  1,2) 


(Rule  (hyp)) 
(i.h.  on  premise) 
(Rule  (consE)  on  1,2) 
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1.  S;^;-E;r,si  D  s2  °  [u\,u2]  \~u  si  D  s2  °  [ui,u2] 

2.  I D  s2  o  [ui,u2]  h1'  si  o  [u'l:u'2] 


3.  E;  E]  T,  s\  D  s2  o  [iq,  u2\  \-u  s2  o  [it^,  u'2\ 

4.  E;  Pi;  T,  si  D  s2  o  [up  u2],  s2  o  [u'^  u2\  \~v 

5.  E;^;i?;r,si  D  s2  o  [ui,u2]  Pro  [u",u2\ 


(Rule  (hyp)) 
(i.h.  on  1st  premise) 

(Rule  (DE)  on  1,2  and  3rd, 4th  premise) 
r  o  [u”,u2\  (i.h.  on  2nd  premise) 

(Theorem  4.5  on  3,4) 


Proof  that  (2)  =>■  (1).  By  induction  on  the  depth  of  the  given  derivation  of  E;  41;  E;  T  \~v 
s  o  [wi,w2],  and  case  analysis  of  its  last  rule.  The  cases  where  the  derivation  ends  in  an 
introduction  rule  are  uninteresting  -  we  apply  the  i.h.  to  hypothetical  judgments  in  the 
premises  and  use  the  corresponding  right  rule  in  the  sequent  calculus.  We  show  here  the 
case  of  the  rules  (hyp),  (claims),  and  some  of  the  interesting  elimination  rules. 

S;  T  |=  u\  <  u\  E;  ^  |=  u2  <  u2 
Case.  - — - - — - - : - -hyp 

E;f;P;T,s  o  [iq,  u2]  \~  s  o  [u\,  u2] 

To  show:  E;  \h;  E;  T,  s  o  [u^,  u2\  —>  s  o  [tti,u2].  This  follows  from  Theorem  4.13  applied 
to  the  premises  of  the  rule. 

v  =  k,  Ub ,  ue  E;  'h  |=  u\  <  u±  E;  |=  u2  <  u2 

E;  |=  u\  <Ub  E;  T  |=  ue  <  u2  E;  |=  k'  A  k 

Case.  - - - — — j- — - - - - - claims 

E;  T;  E\  T,  k  claims  s  o  [u1,u2\  h  s  o  [ui,u2] 

To  show:  E;  E;  T,  k'  claims  s  o  \u\ , u2\  — *  s  o  [rq,  rt2] 

1.  E;  E\  T,  k'  claims  s  o  \u\ ,  u2\ ,  s  o  [it) ,  u2\  —>  s  o  [u\,u2] 

(Theorem  4.13  on  2nd,  3rd  premises) 

2.  E;  \H;  E\  T,  k'  claims  s  o  [u^,  u'2]  —>  s  o  [rq,  u2\ 

(Rule  (claims)  on  1  and  4th, 5th, 6th  premises) 


E;  E\  T  \~u  k  says  s  o  [u\,  u2] 

E;  \H;  E:  T,  k  claims  s  o  [ui,u2\  \~u  s'  o  \u\ ,  u'2] 
Case.  - 7 — — — - — saysE 

To  show:  E;  \H;  E;  T  —>■  s'  o  [u\ .  u2] 


1.  E;  E;  T  k  says  s  o  [rq,  u2] 

2.  E;  E;  T,  k  claims  s  o  [u\,u2]  —>  s'  o  [u\ .  u2\ 

3.  E;  ’P;  E;  T,  k  says  s  o  [u\,  u2],  k  claims  s  o  [u\,  u2]  —>■  s'  o  [u\ ,  u'2] 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
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4.  E;  \k;  E;  T,  k  says  s  o  [mi,  M2]  s'  o  [ru\ ,  ru2] 

5.  E;^;E;T  A  s'  o  [u\ ,  u'2\ 


(Weakening  Theorem  4.8  on  2) 
(Rule  (saysL)  on  3) 
(Theorem  4.12  on  1,4) 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 


E;  E;  T  \~u  s  @  [mi,  m2]  o  K,  u'2]  E;  £;T,so  [Ul  ,u2\  h"  s'  o  [u",  u2\ 

Case.  - - — - — — - — - @E 

S;$;P;TR  s'  o  [u",  u"] 

To  show:  E;  'k;  E;  T  —>  s'  o  [it",  m'2'] 

1.  E;  ^;E;T  A  s  @  [ui,u2\  o  [u^u^] 

2.  E;  \k;  E;  T,  s  o  [u\,  u2]  —>  s'  o  [m'/,  m'2'] 

3.  E;  'k;  E;  T,  s  @  [mi,  u2]  o  [m^ ,  m2] ,  s  o  [mi,  it2]  ^  s'  o  [u'{,  u'2\ 

(Weakening  Theorem  4.8  on  2) 

4.  E;  \k;  E;  T,  s  @  [mi,  u2]  o  [m^,  u'2]  —>  s'  o  [m",  m2]  (Rule  (@L)  on  3) 

5.  E;  'k;  E\  T  A  s'  o  [m'/ ,  u2]  (Theorem  4.12  on  1,4) 

E;$;E;r^co[ai,«2]  E;  ’P,  c;  E;  TPs'o  K,  m2] 

Case.  - - — 7 — — — 7- - consE 

E;  'I';  E;  T  h  s'  o  [u\ ,  u2] 

To  show:  E;  VR ;  E;  T  — >  s'  o  [m] .  m2] 


1.  E;  'k;  E;  T  A  c  o  [mi,  M2] 

2.  E;  \k,  c;  E;  T  ^  s'  o  \u\ , u2] 

3.  E;  \k,  c;  f?;T,co  [mi,  M2]  ^  s'  o  [m^,  m'2] 

4.  E;$;E;T,co  [14, M2]  — ►  s'  o  [m'1; m'2] 

5.  E;^;E;r  A  s'  o  [m'^m^] 

E;  \k;  E;  T  h"  si  D  s2  o  [mi,m2] 
E;  \k;  E;  T  \~v  si  o  [m^,  u'2]  S;  \k  |=  mi  <  u\ 

1SG  - - 

E;$;E;rRS2o[Ml,«'2] 

To  show:  E;  \k;  E;  T  —>■  s2  o  [m)  ,  m2] 


(i.h.  on  1st  premise) 
(i.h.  on  2nd  premise) 
(Weakening  Theorem  4.8  on  2) 
(Rule  (consL)  on  3) 
(Theorem  4.12  on  1,4) 


E;  \k  |=  Mo  <  u2 
— - ^  1  ~ - DE 


1.  E;\k;E;r,si  D  s2  o  [mi,M2],S2  0  [* l 2 3 4A  ■  '“2]  — >  s2  o  [u'i,u2]  (Theorem  4.13) 

2.  E;\k;E;r  —>  s  1  o  \u\  ,  m'2]  (i.h.  on  2nd  premise) 

3.  E;  \k;  E:  T,  si  D  §2  o  [mi,  M2]  —>  si  o  [u\  ,  m'2]  (Weakening  Theorem  4.8  on  2) 

4.  E;\k;E;T,si  D  s2  o  [mi,m2]  ^  s2  o  [m'^m^] 
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(Rule  (dL)  on  1,3  and  3rd, 4th  premises) 

5.  E;41;.E;r  \~u  sj  D  S2  °  [1*1,112]  (i.h.  on  1st  premise) 

6.  E;4t;.E;r  A  s2  °  [u'i,  u'2]  (Theorem  4.12  on  5,4) 

O' 


B.3  Proofs  from  §4.5 

Lemma  B.8  (Constraint  substitution).  Suppose  E;4t  |=  co-  Then  the  following  hold. 

1.  E;  4*,  co;  E\  T  \~u  s  o  [111,112]  fl  implies  £;4/;.E;r  h"  s  o  [111,1*2]  It  by  a  derivation  of 
shorter  or  equal  depth. 

2.  £;  41,  co; -E1 2 3 4 5;  T  Pso  [111,1x2]  !)■  implies  £;4*;.E;r  Pso  [1*1,112]  •(!  by  a  derivation  of 
shorter  or  equal  depth. 

Proof.  By  simultaneous  induction  on  derivations  given  in  (1)  and  (2)  and  case  analysis  of 
their  last  rules.  The  interesting  cases  are  rules  where  E;  4*  |=  -  is  used  in  one  of  the  premises. 
In  such  cases,  we  appeal  to  the  assumption  (C-cut)  from  §4.2.1.  For  the  remaining  rules,  we 
just  apply  the  induction  hypothesis  to  the  premises,  and  reapply  the  rule  to  the  modified 
premises.  We  show  one  of  the  interesting  cases  here. 


Case 


v  =  k,ub,ue  E;  4*,  c0  |=  1*1  <  ub 
E;  4*,  cq  |=  ue  <  U2  E;  41,  cq  \=  k'  A  k 


E;  4t,  co;  E ;  T,  k'  claims  s  o  [1*1,  i*2]  Pso  [iti,  1*2]  1J- 
To  show:  E;  4t;  E]  T,  k'  claims  s  o  [1*1,  u2]  Pso  [1*1,112]  1J- 


claims 


1.  E;  4*  |=  c0 

2.  E;  4/  j=  1*1  <  iif, 

3.  E;  4/  |=  ue  <  112 

4.  E;  4'  [=  k!  A  k 

5.  E;  4';  E;  T,  k'  claims  s  o  [1*1,  u2]  Pso 


(Assumption) 
((C-cut)  on  1  and  2nd  premise) 
((C-cut)  on  1  and  3rd  premise) 
((C-cut)  on  1  and  4th  premise) 
,1*2]  1J-  (Rule  (claims)  on  2,3,4) 

□ 


Theorem  B.9  (Time  subsumption;  Theorem  4.17).  Suppose  the  following  hold: 

1.  E;  4';  Fi;  T  Pso  [i*i,it2]  t 

2.  E;  4*  |=  i*i  <  un  and  E;  4*  |=  um  <  1*2 
Then  E;  4*;  E]  T  \~u  s  o  [un,  um]  fl 
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Proof.  By  induction  on  the  depth  of  the  given  derivation  of  E;  'h;  E;  T  \~v  s  o  [mi,  m2]  fi  and 
case  analysis  of  its  last  rule.  Some  interesting  cases  are  shown  below. 


Case. 


E;  $;fi;rPso  K,t/2]  ^  E;  \k  |=  u[  <  m 
E;’!';#;  T  Pso  [mi,m2]  t 


To  show:  E;'F;£;ri-‘,so  [un,  um\  fl 


E;  'h  1=  u2  <  u'o 

r  M 


1.  E;  'h  |=  u\  <  u\ 

2.  E;  \k  |=  ui  <  un 

3.  E;  'h  |=  u\  <  un 

4.  S;  \k  |=  um  P  M2 

5.  E;$;£;rPso[iim!im]f[ 

Case.  - - - - - - — saysl 

E;  \k;  E;T  \~  k  says  so  [mi,  m2]  ft 

To  show:  E;  \k;  E;  T  \~u  k  says  s  o  [ un ,  um\  ft 

1.  E;tf;£7;r|  hfc™  s  o  [un,  um]  ft 

2.  E;tf;£7;r| 

3.  E;  \k;  E]  T  \~u  k  says  s  o  [un,  um\  ft 


(premise) 
(assumption) 
((C-trans-time)  from  §4.2.1  on  1,2) 
(Similar  to  3) 
(Rule  (ftft)  on  1st  premise, 3, 4) 


(i.h.  on  premise) 
(Theorem  4.16  on  1) 
(Rule  (saysl)  on  2) 


^  E,  centime,  x2:time;  \k,  mi  <  x1}  x2  <  u2;  E;  T,  si  o  [xi,  x2\  \~u  s2  o  [xi,  x2]  ft  T 

Case.  - - - - - r - Dl 

E;  \h;  Pi;  T  h  si  D  s2  o  [mi,m2]  ft 

To  show:  Ej'fjPjTP  siDs2o  [un,um]  ft 


1.  E;  4/  |=  Mi  <  un  (Assumption  2) 

2.  E ;  'k ,  un  <x\\=ui<un  ((C-weaken)  from  §4.2.1  on  1) 

3.  E;  ^,Mn  <  xi  |=  un  <  xi  ((C-hyp)  from  §4.2.1) 

4.  E;  \k,Mn  <  x\  |=  Mi  <  x,\  ( (C-trans-time)  from  §4.2.1  on  2,3) 

5.  E,  xptime,  x2:time;  'k,  mi  <  xi,  x2  <  m2;  E;  T,  si  o  [xi,  x2]  \~v  s2  o  [xi,  x2]  ft 

(premise) 

6.  E,  xptime,  x2:time;  \k,  un  <  xi,  x2  <  m2;  E ;  T,  si  o  [xi,  x2]  \~u  s2  o  [xl5  x2]  ft 


7.  E;  \k,x2  <  |=  X2  <  m2 
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8.  £,xi:time, x2:time;  41,  Mn  <  x±,x2  <  um;E;T,si  o  [xi,.t2]  b"  s2  o  [xi,x2\  fi 

(Lemma  B.8  on  7,6) 

9.  E;41;.E;r  b "  si  D  s2  o  [un,um\  ff  (Rule  (Dl)  on  8) 

□ 

Theorem  B.10  (Normalization;  Theorem  4.19).  Suppose  E;41;.E;r  hu  s  o  [mi,m2]  in 
natural  deduction.  Then  E;  4q  E\  T  \~u  s  o  [u\ ,  u2]  f|\ 

Proof.  By  Theorem  4.14  it  suffices  to  show  that  E;  4t;  E\  T  s  o  [mi,  m2]  implies  E;  4t;  E;  T  \~v 
s  o  [ui,u2\  fi-  We  prove  the  latter  by  induction  on  the  depth  of  the  given  sequent  calculus 
proof  and  a  case  analysis  of  its  last  rule.  Some  representative  cases  are  shown  below. 


S;  4t  |=  u\  <u\  E;  4>  |=  u2  <  u'2 . 

Case.  - - — - — - lmt 

E;^;£;r,po  [m15m2]  o  [ui,u2\ 

To  show:  E;  41;  E;  T,p  o  [u'2,  m2]  \~v  p  o  [m,  u2]  fl 

1.  E;f;E;r,po  K,m'2]  Kpo  [m^m!,]  JJ- 

2.  E;$;£;r,j)o  K,m'2]  Kpo  [mi,m2]  ft 


(Rule  (hyp)) 
(Rule  (JJ-ff)  on  1  and  the  premises) 


E;  4/;  E]  T,  k  claims  so  (ui,  u2],  s  o  [ui,u2\  r  o  \u\ .  u'2\ 

v  =  k',  Ub ,  Me  E;  4t  |=  mi  <  lib  E;  4^  |=  Me  <  m2  E;  4'  |=  k  A 

Case.  - - - - — - - claims 

E;  4/;  T1;  T,  k  claims  so[ai,ii2]  ->ro  [u\ ,  m2] 

To  show:  E;  41;  E\  T,  k  claims  so  [u\,  u2 ]  Pro  [m^,  m2]  ff 

1.  E;  4';  E]  T,  k  claims  s  o  [mi,  m2]  Pso  [mi,  m2]  JJ- 

(Rule  (claims)  on  3rd, 4th, 5th  premises) 

2.  E;  4';  E]  T,  k  claims  s  o  [rq,  u2],  s  o  m2]  hu  r  o  [u^  m2]  fl  (i.h.  on  1st  premise) 

3.  E;  4';  E;  T,  k  claims  s  o  [rq,  m2]  \-v  r  o  [u'x,  m2]  fl"  (Theorem  4.18  on  1,2) 

Case.  - - - saysR 

E;  4t;  E\  T  — »  k  says  s  o  [rq,  u2] 

To  show:  E;  41;  E]  T  \~v  k  says  s  o  [mi,  m2]  fl 

1.  E;^;£;r|  bfc’ui’«2  a  0  [UljU2] 

2.  E;  4';  E;  T  \-v  k  says  s  o  [iq,  it2]  'f|- 


(i.h.  on  premise) 
(Rule  (saysl)  on  1) 


E;  4t;  E;  T,  k  says  s  o  [mi,  m2],  k  claims  s  o  [mi,  m2]  — >  r  o  [u\ ,  m2] 

Case.  - - - - — - — saysL 

E;  4 ';E;  T,  k  says  s  o  [mi,  m2]  —>  r  o  [rq,  m2] 

To  show:  E;  41;  E]  T,  k  says  so  [u\,  m2]  Pro  [m(  ,  u2]  fi 
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1.  E;  it;  E;  T,  k  says  s  o  [m,  u2]  b"  k  says  s  o  [u\,  u2]  -[i  (Rule  (hyp)) 

2.  E;  'll;  E\  T,  k  says  s  o  [m,  u2],  k  claims  s  o  [m,  u2]  b"  r  o  [it),  u'2]  fl  (i.h.  onpremise) 

3.  E;  \H;  E\  T,  k  says  s  o  [u\,  it2]  ^ro  [it) ,  u2]  f|'  (Rule  (saysE)  on  1,2) 


Case. 


E;  4t;  E\  T,  si  4  S2  0  [it  1, 112]  —>  si  o  [ix),  ix2] 

E;  'E;  E\  T,  sj  4  s2  o  [iti,  u2],  s2  o  [u[,  u2]  A  r  o  [it",  ix2] 
E;  4t  |=  tti  <  u[  E;  4t  \=  v!2  <  112 


E;  4t;  E ;  T,  s\  4  s2  °  [iti,  u2\  —>  r  o  [u",  U2] 

To  show:  E;  'll;  E;  T,  si  4  s2  °  [iti,  ix2]  b"  r  o  [it",  n^]  fl 


I)L 


1.  E;4t;E;r,si  4s2  o  [iti,u2]  b"  «i  4  s2  o  [iti,u2]  1J-  (Rule  (hyp)) 

2.  E;  \H;  E;  T,  si  4  s2  o  [m,  ix2]  b"  si  o  [u),  u72]  ff-  (i.h.  on  1st  premise) 

3.  E;4t;E;r,si  D  s2  o  [it1;  it2]  b"  s2  o  [it),^]  f|- 

(Rule  (DE)  on  1,2  and  3rd, 4th  premises) 

4.  E;  \H;  E:  T,  si  4  s2  o  [1x1,  u2],  s2  o  [it7, ,  ix72]  Pro  [it",  u2]  ff-  (i.h.  on  2nd  premise) 

5.  E;  \b;  E;  T,  si  4  s2  o  [1x1,  ix2]  Pro  [it",  112]  f|-  (Theorem  4.18  on  3,4) 


□ 


B.4  Proofs  from  §4.6 

Theorem  B.ll  (Correctness  of  embedding;  Theorem  4.21).  Suppose  that  for  every  k,  k' , 
E7,  and  \b7  not  containing  A,  E7;  'll7  |  =  k  P  k!  in  BL  if  and  only  if  E7  b  k  P  k'  in  BLg. 

Then,  E;T  s  is  provable  in  BLg  if  and  only  x/rE;T  —h  sn  is  provable  in  BL. 

Proof.  The  “if”  direction  was  proved  in  the  main  body  of  the  paper.  The  “only  if”  direction 

k 

follows  by  an  induction  on  the  depth  of  the  given  BL5  derivation  of  E;T  — P  s  and  a  case 
analysis  of  its  last  rule.  We  show  some  of  the  interesting  cases  here. 

E  b  k  P  ko  E;  T,  k  claims  s,  s  r 
Case.  - - - claims 

E;  T,  k  claims  s  -A  r 

To  show:  E;  ■;  •;  rrn,  k  claims  rsn  o  [—00,  +00]  fc-°’  °°’+^g’>  rrn  o  [—00,  +00] 

1.  E;  •;  •;  rTn,  k  claims  rsn  o  [—00,  +00],  rsn  o  [—00,  +00]  k-°-  ■  °°’+?:’>  rrn  o  [—00,  +00] 

(i.h.  on  premise) 

2.  E;  •;  •;  rrn,  k  claims  rsn  o  [—00,  +00]  fc-°’  .°°’+?:’>  rrn  0  [_00j  -foo] 
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(Rule  (claims)  on  1) 

s;r,A  s' 

Case.  - - - DR 

e;t  ^sds' 

To  show:  E;  •;  •;  rrn  — — >  (rsn  @  [—00,  +00])  D  rs'n  o  [—00,  +00] 

1.  E;  •;  •;  rrn,  rsn  o  [—00,  +00]  — >  rsn  o  [—00,  +00]  (i.h.  on  premise) 

rk~\ 

2.  E,  centime,  X2:time;  —00  <  x\,  x2  <  +00;  •;  rrn,  rsn  o  [—00,  +00]  - >  rs  n  o  [—00,  +00] 

(Weakening  Theorem  4.8  on  1) 

rk~\ 

3.  E,  xptime,  X2:time;  —00  <  xi,  x2  <  +00;  •;  rTn,  rsn  @  [—00,  +00]  o  [xi,  X2]  - >  rsn  o 

[— 00, +00]  (Rule  (@L)  on  2) 


rk~ 

4.  E,  xptime,  X2:time;  —00  <  xi,  x2  <  +00;  •;  rrn,  rsn  @  [—00,  +00]  o  [x\,  x2 ]  - >  rs‘ 


r„n 


[xi,x2] 


5.  E;  •;  •;  rrn  — (rsn  @  [—00,  +00])  D  rsn  o  [—00,  +00] 


E;T,sDs'4s  S;  r,  s  D  s',  s'  r 

Case.  - - - DL 

E;T,sDs'->r 


(Theorem  4.11  on  3) 
(Rule  (l>R)  on  4) 


To  show:  E;  rrn,  (rsn  @  [—00,  +00])  D  rsn  o  [—00,  +00]  — >  rrn  o  [—00,  +00] 

1.  E;  rrn,  (rsn  @  [—00,  +00])  D  rsn  o  [—00,  +00]  — rsn  o  [—00,  +00] 

(i.h.  on  1st  premise) 

2.  E;  rrn,  (rsn  @  [—00,  +00])  D  rs'n  o  [—00,  +00]  — — >  rsn  @  [—00,  +00]  o  [—00,  +00] 

(Rule  (@R)  on  1) 

3.  E;  rrn,  (rsn  @  [—00,  +00])  D  rsn  o  [—00,  +00],  s'  o  [—00,  +00]  — >  rrn  o  [—00,  +00] 

(i.h.  on  2nd  premise) 


4.  E;  rrn,  (rsn  @  [—co,  +00])  D  rsn  o  [—00,  +00]  — >  rrn  o  [—00,  +00] 


E;  T |  A  s 

Case.  - r - saysR 

k0 


(Rule  (dL)  2,3) 


E;T  k  says  s 
To  show:  E;  rrn  ka  >  k  says  rsn  o  [—00,  +00] 
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L  E;rrp  k’—  +^°->  rsn  o  [  oo,+cx)] 

(i.h.  on  premise) 

2.  rrp  =  rrp 

(Definition) 

3.  S;rrp  fc’-7-^+?P  rgn  Q  [  OC)  +OG] 

(1,2) 

4.  S;  rrn  k°  >  A:  says  rsn  o  [— oo,  +oo] 

(Rule  (saysR)  on  3) 

□ 
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Proofs  from  §5 

C.l  Proofs  from  §5.1.2 

Lemma  C.l  (Constraint  substitution).  Suppose  E;\P  |=  cq.  Then  the  following  hold. 

1.  E;  \I/,  co;  E\  T  \~u  V  -4=  s  o  [u\,u2]  implies  S;\P;£l;r  \~u  V  <=  s  o  [ui,u2]  by  a 
derivation  of  shorter  or  equal  depth. 

2.  E;  \P,  co;  E\  T  b v  R  = =>■  s  o  [ui,u2]  implies  S;\P;£l;r  b v  R  = =>■  s  o  [u\,u2]  by  a 
derivation  of  shorter  or  equal  depth. 

Proof.  By  simultaneous  induction  on  derivations  given  in  (1)  and  (2)  and  case  analysis  of 
their  last  rules,  as  in  the  proof  of  Lemma  B.8.  □ 

Theorem  C.2  (Time  subsumption;  Theorem  5.5).  Suppose  the  following  hold: 

1.  Ejfi^nbb^so  [ui,u2\ 

2.  E;  \P  |=  u\  <  un  and  E;  \P  |=  um  <  u2 
Then  E;  \P;  E;  II  \~u  V  <= =  s  o  [un,  um\ 

Proof.  By  induction  on  the  depth  of  the  given  derivation  of  E;  \P;  E;  II  \~u  V  <= =  s  o  \u\1  u2] 
and  case  analysis  of  its  last  rule.  Some  interesting  cases  are  shown  below. 

S;  \P;  E-,T  \-v  R  ==$■  s  o  [?4,  u'2]  E;  'P  [=  u\  <  v,\  E;  'P  |=  u2  <  u'2 

Case.  - - - - - - - inter 

E;  'P;  E;T  \~  R  <=  s  o  [u\,u2] 

To  show:  E;  \P;  E;  T  b"  R  <=  s  o  [un,  um] 

1.  E;  'P  |=  u\  <  u\ 

2.  E;  'P  |=  u\  <  un 

3.  E;  'P  |=  u\  <  un 
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Case 


4.  X;  4*  |=  um  <  U2 

'==  s  o  [un,um\ 

X;  'I';  E;  T|  hk’ul’U2  V  ^  so  [Ul  ,m2] 


5.  Z;V;E;  T  h"  R 


(Similar  to  3) 
(Rule  (infer)  on  1st  premise, 3, 4) 


-saysl 


X;  4t;  E ;  T  \~v  saysl  V  <=  k  says  s  o  [111,112] 

To  show:  saysl  V  <=  k  says  s  o  [un,  um] 


1.  E;4f;E;T\  \~K’U1’U2  V 


s  o  [un ,  um\ 


k,u\,U2 

k,Un,Um  y  ^SQ  [Un)Um] 

3.  X;  4t;  E;  T  \-v  saysl  V  <=  k  says  s  o  [un,  ur 


2.  X;  4';  Pi;  T|  h 


(i.h.  on  premise) 
(Theorem  5.4  on  1) 
(Rule  (saysl)  on  2) 


X,  xi:time,  X2:time;  4t,  u\  <  x\,  X2  <  uo;  E;T,tt  :  s\  o  xi,  X2  h  V  -4=  S2  o  xi,  X2 

Case. - - - - - - - Dl 

X;  'h;  E]  T  h  impl  (xi.X2-vr.17)  <^=  si  D  S2  o  [mi,  M2] 

To  show:  X;  'h;  E\  T  h"  impl  ( X1.x2.vr. 17 )  -4=  si  D  S2  °  [un,  um] 


1.  X;  4/  |=  Ml  <  un 

2.  X,  41 ,  un  i  x\  | —  Mi  '7  un 

3.  X;  'h,  un  <  x\  \=  un  <  x\ 

4.  X;  4',  un  <  x\  |=  mi  <  x\ 


(Assumption  2) 
((C-weaken)  from  §4.2.1  on  1) 
((C-hyp)  from  §4.2.1) 
((C-trans-time)  from  §4.2.1  on  2,3) 


5.  X,  centime,  X2:time;  4v,  mi  <  xi,  X2  <  M2;  E\  T,  vr  :  si  o  [xi,  X2]  V  -4=  S2  o  [xi,  X2] 

(premise) 

6.  X,  xptime,  X2:time;  4v,  un  <  xi,  X2  <  M2;  E]  T,  7r  :  si  o  [xi,  X2]  \~u  V  -4=  S2  o  [xi,  X2] 

(Lemma  C.l  on  4,5) 

7.  X;  41,  X2  <  Mm  j=  X2  <  M2  (Similar  to  4) 

8.  X,  xptime,  X2:time;  4v,  un  <  x±,  X2  <  Mm;  £?;  T,  vr  :  si  o  [xi,  X2]  \~u  V  -4=  S2  0  [xi,  X2] 

(Lemma  C.l  on  7,6) 

9.  X;f  ;L;T  h"  impl  (xi.X2.vr.17)  -4=  si  D  S2  o  [Mn,Mm]  (Rule  (Dl)  on  8) 


□ 
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C.2  Proofs  from  §5.2.2 

Lemma  C.3  (Soundness;  Lemma  5.10).  Suppose  that  the  following  hold  for  some  C,  X ,  list 
x  of  term  variables,  list  a  of  sorts,  list  to  of  terms  satisfying  X  h  to  :  if,  and  system  state 
Eq  not  containing  any  element  of  X. 

1.  For  each  (X',X  :  a;  \=  d)  E  C,  it  is  the  case  that  S';  'P'fio/X]  (=  c'[to/x\. 

2.  For  each  (S',  X  :  a\  E'  \=  i')  E  X,  it  is  the  case  that  S';  Eq,  E'[to/x]  \=  i'[to/x\. 

Then, 

A.  X,  x  :  <t;  \h;  E ;  PE  \~u  V  <t=  s  o  [iti,  u2]  \  C;X  implies  X;  4t[to/X];  Eq,  E[to/x\;  Tl[to/x\ 
|_*dWz]  V[to/x\  4= =  s[to/x\  o  [ui[to/x\,u2[to/x]} 

B.  X,  x  :  <r;  Hi;  E;H  \~u  R  = =>■  so  [u1;  u2]  \  C;X  implies  X;  \I/[io/X];  Eo,  E[to  /  x\;Il[to/ x\ 
\-^to/x\  R[to/x\  =>  s\to/x\  O  [ui[f0/x\,U2[f0/x}\ 

Proof.  By  simultaneous  induction  on  the  derivations  given  in  A  and  B  and  case  analysis  of 
their  last  rules.  We  show  some  representative  cases. 

X,  X:cr;  'h;  E]  II  \~u  R  =>  s  o  [u\,  it2]  \  C ;  X 

C  =  (X,  X:<r;  'h  |=  ui  <  it)),  (X,  x:a;  'h  |=  u'2  <  it2) 

f  jpico  _ inter 

X,  X:cr;  Hi;  E;  II  \~v  R  -4=  s  o  [it) ,  u)]  \  C' ,  unsat(C);X 

To  show:  X;^[to/X];X0,X:[to/X];II[to/X]  R[t0/x\  «=  s[io/X]  o  [u)[fo/X],  it'2[fo/X]] 


1.  X;^[to/X];£0,X[io/X];n[io/X]  #[*o/X]  =>  s[tQ/x\  o  [ui[tQ/x\,  u2[fo/x\] 


(i.h.  on  premise) 


2.  Case  analysis  on  whether  (X,X:cr;  \h  \=  u\  <  it))  E  unsat(C)  or  not. 


3. 

4. 


•  Case:  (X,X:<r;'I'  |=  u\  <  it))  E  unsat(C) 
(a)  X;  ^[to/X]  |=ui[to/X]  <  ix) [to/X] 

•  Case:  (X,X:cr;  41  |=  iti  <  it) )  0  unsat(C) 

(a)  X,  X:er;  4i  |=  14  <  it) 

(b)  X;  ’ll  [to/ X]  |=  ui[f0/x\  <  «)[to/X] 

X;  ’Pfto/X]  |=  iti[f0/X]  <  u)[to/X] 

X;  4t[to/X]  |=  w'2[io/X]  <  u2[t u/X] 


(Assumption  1) 

(Defn.  of  unsat) 
((C-subst)  from  §4.2.1) 

(From  case  analysis) 

(Similar  to  2) 


X;  4t[to/X];  Eq,  E[io / x\]H[to / X]  R[fo/X]  <^=  s[to/X]  o  [u)[t0/X],  u'2[to/x\] 


(Rule  (infer)  on  1,2,3) 
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X,  x:a ;  'P;  E\  PE  \~u  R  =>  c  o  [u\,  112]  \  Ci ;  Xj 

T,,x:a;^f,c-,E;U  b"  V  4=  s'  o  K,u'2]  \  C2;X2 

Case.  - - - 7 — — — - consE 

X,  x:<5;  \k;  X;  II  b  consE  R  V  4=  s  o  [u) ,  it  2]  \  Ci,C2;Xl,X2 

To  show:  Tj-^lto/x];  Eq,  E[to/x\]H[to/x\  \-u^°/x^  consE  (R[to/x\)  (V\Pq/x\)  4=  s'[to/x]  o 

1.  X;^[fo/®];S0,-E[io/®];n[*o/®]  R[to/^]  c[to/x\  o  [ui[to/x\,U2[to/x\] 

(i.h.  on  1st  premise) 

2.  E;^[t^/^,c[tZ/^-,E0,E[fo/x};U[f0/x\  \-ultQ/x^  V[tQ/x\  4=  s'[tQ/x\  o  u^fo/x]} 

(i.h.  on  2nd  premise) 

3.  E;^[f0/^;Eq,E[f0/x\;U[f0/x\  b^0^1  consE  (R[f0/x\)  (V[tQ/x\)  4=  s'[f0/x\  o 

[ui[to/x\,  u'2[to/x\\  (Rule  (consE)  on  1,2) 


Case 


X  =  (X,  x:a;  E  |=  i) 


-interl 


X,  x:a:  SR ;  X;  II  \~v  interl  4=  i  o  [u\,  112]  \,  •;  unsat(X) 

To  show:  Y1-,'Si[to/x}]  Eq,  E[to/x\]U[to/x\  b^0/-']  interl  4=  i[to/x\  o  [ui[to/x\,U2[to/x\] 


1.  Case  analysis  on  whether  (X,x:cf;  E  \=  i) 

•  Case:  (X,X:cr;X  \=  i)  £  unsat(X) 

(a)  X;X0,X[fo/X]  \=i[t0/x\ 

•  Case:  (X,  x:a;  E  \=  i)  0  unsat (X) 

(a)  X,  x:a;  E  \=  i 

(b)  X,  x:a;  Eq,  E  \=  i 

(c)  E;E0[R)/x\,E[f0/x\\=  i[f0/x\ 

(d)  X0  =  E0[f0/x\ 

(e)  T,;E0,E[f0/x\  \=i[f0/x] 

T,;E0,E[f0/x}  \=  i[f0/x\ 

2.  X;  V[f0/x\;Eo,  E[f0/x\;U[f0/x\  b1^  in 


unsat (X)  or  not. 

(Assumption  2) 

(Defn.  of  unsat) 
((S- weaken)  from  §4.2.1  on  a) 
((S-subst)  from  §4.2.1  on  b) 
(Assumption) 
(c,d) 

(From  case  analysis) 
rl  4=  i[f0/x\  o  [ui[C0/x\,U2[f0/x]\ 

(Rule  (interl)  on  1) 


X,  x:a,  xptime,  x2:time;  'k,  u\  <  x±,  X2  <  u2;  X;  II,  7r  :  si  o  [xi,  x2] 
b"  V  4=  S2  O  [x\,X2]  \  C;X 

Case.  — - - - - - - - Dl 

X,  xu 5;  ’P;  E;  II  b  impl  (xi.X2-tt.V)  4=  si  D  S2  o  [m,  112]  \  C;X 

To  show:  T,\^[to/x\;  Eq,  E[to/x\;Il[to/x]  \-u^°/x^  impl  (xi.X2-TT.(V[to/x}))  4=si[to/®]  A 
S2[to/x\  O  [u1[f0/x\,U2[f0/x\] 
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1.  E,  centime,  x2:time;  ^[t0/ x\,u\[t0/ x\  <  xi,x2  <  U2[to/x\;  E0,  E[t0/x\;Il[f0/x\,ir  : 

si[to/x\  o  [xi,x2]  |— ^Po/3']  V[t0/x]  -4=  s2[to/^]  °  [xi,X2\  (i.h.  on  premise) 

2.  S;^[io /x\-,E0,E[f0/x\-,n[f0/x]  impl  (xi.x2.7t ,{V[t0/x}))  <=  si[t0/£]  A 

S2[t~o/x\  o  [ui[to/x\,u2[to/x\]  (Rule  (Dl)  on  1) 

□ 

Lemma  C.4  (Completeness).  Let  x  be  a  list  of  term  variables,  o  a  list  of  sorts,  and  to  a 
list  of  terms  such  that: 

1.  T,  \~  to  :  a 

2.  Variables  in  x  do  not  appear  in  the  formulas  of  II  (they  may  appear  in  top  level 
judgment  annotations  like  k  claims  •  and  ■  o  [u± ,U2\). 

3.  Variables  in  x  do  not  appear  in  Eq. 

Then, 

A.  If  variables  from  x  do  not  appear  in  s  and  V  and  E;  '&\to/x\\  Eq\  II  [to  /  P1^0^  V  4= 
s  o  [ui[to/x\,U2[to/x]],  then  for  any  E,  there  are  C  andl  such  that: 

(a)  E,  x:<t;  \P;  E\  II  \~u  V  -4=  s  o  [u\,  «2]  \  C\l. 

(b)  For  every  (T,',x:a\  iP'  |=  c ')  E  C,  it  is  the  case  that  S';  '&'\to/x\  |=  d[to/x\. 

(c)  For  every  (E',  x:a;  E'  (=  i')  E  T,  it  is  the  case  that  S';  Eq,  E'  |=  i' . 

B.  If  variables  from  x  do  not  appear  in  R  and  E;  \P[to/T]; Eq\ II [^o / af]  P1^0^  R  => 
s[to/x\  o  [ui[to/x\,U2[to/x\],  then  variables  from  x  do  not  appear  in  s  and  for  any  E, 
there  are  C  and  T  such  that: 

(a)  E,  x:a:  ’I';  E-,  II  \~u  R  = =>•  so  [u\,  it2]  \  C;  1. 

(b)  For  every  (S ' ,x:a\  ’L/  |=  d)  E  C,  it  is  the  case  that  E';  ^'[to/x]  \=  d[to/x\. 

(c)  For  every  (E',  x:a;  E’  (=  i')  E  1,  it  is  the  case  that  S';  Eq,  E'  (=  i' . 

Proof.  By  simultaneous  induction  on  given  derivations  of  E;  \H[to/x];  Eq-,  II[to/^]  P1^07^ 
V  <=  s  o  [ui[f0/x\,u2[fo/x\\  and  E;  \P[t0/x];  Eq;  II[to/z]  |-^Bo/^]  r  =>.  s  0  [Ul[f0/x\,u2[fo/x\\, 
and  case  analysis  of  their  last  rules.  The  proof  is  tedious  but  straightforward.  Some  rep¬ 
resentative  cases  are  shown  below.  (Note  that  the  required  conditions  (a),  (b),  and  (c)  are 
identical  for  A  and  B.) 

T,-^[to/x\-E0-,U[to/x\  R  = =>•  s  o  [ui[fo/x\,U2[to/x]\ 

E;  ^[f0/x]  |=  ui\tQ/x\  <  u[[f0/x\  E;  ^>[t0/x\  |=  u'2[f0/x\  <  u2[f0/x\ . 

Case.  - 7^— - inter 


T,-,^[f0/x]-,Eo-,U[f0/x]  l-^Bo/a:-]  R  ^ =  g  o  [u([t0/x\,u'2[to/x\\ 

1.  There  exist  C  and  T'  such  that  E,  x:cr:  \P;  E;  II  \~u  R  ==>  s  o  [tti,  tt2] 


C'-T 
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(i.h.  on  premise;  by  condition  in  A,  s  =  s[to/®]) 

2.  (b)  holds  for  C'  (i.h.) 

3.  (c)  holds  for  X'  (i.h.) 

4.  Let  Ci  =  (E;  4/  |=  u\  <  u\ ) ,  (E;  'L  (=  u'2  <  112)-  Choose  C  =  C',unsat(Ci)  and  X  =  X' . 

5.  E,x:cr;  41;  Li;  II  h"  R  <=  s  o  \u\ ,  u^]  \C;X  (Rule  (infer)  on  1) 

(a)  is  the  same  as  5  above,  (b)  holds  for  C  because  of  2,  and  because  of  the  2nd  and  3rd 

premises,  (c)  holds  for  X  because  of  3. 


Case. 


E;  Mf0/x\- E0;U[f0/x\  h* 1 2 3^  V  4=  s  o  [Ul,u2] 


-check 


E;  \k[to/x];  Eq]  II[to/x]  check  V  s  u\  U2  =>■  s[to/^]  0  [^1,^2] 

1.  Variables  in  x  do  not  appear  in  check  V  s  u\  U2  (Condition  in  B) 

2.  Variables  in  x  do  not  appear  in  V  and  s  (From  1) 

3.  There  are  C  and  X'  such  that  E,  x:a ;  41;  E;  II  \-u  V  <=  s  o  [ttj_ ,  u2]  \  C \Xl 

(i.h.  on  premise;  can  be  used  due  to  2) 


4.  C  satisfies  (b) 

5.  X'  satisfies  (c) 

6.  Choose  C  =  C  and  X  =  X' 

7.  E,  x\a\  \k;  E ;  II  \~v  check  V  s  u±  112  = =>•  s  o  [u\,u2]  \  C']X' 

(a)  is  the  same  as  7.  (b)  and  (c)  hold  because  of  4  and  5  repsectively. 

E;  Eq  \=  i 


(i.h.) 

(i.h.) 


Case. 


T,;^[t0/x}-  E0;U[t0/x]  b^°/L  inter  I  i  o  [ui[fo/x\,u2[fo/x\\ 


interl 


1.  Choose  C  =  •  and  X  =  unsat(E,  x:a:  E  (=  i) 

2.  E,  x:a;  4e  E\  II  \~u  interl  -4=  i  o  [u1;  it2]  \  C;X  (Rule  (interl)) 

(a)  is  the  same  as  2.  (b)  holds  vacuously  since  C  =  ■.  To  prove  (c)  we  consider  two  cases. 

•  (E,  x:a ;  E  |=  i)  0  X:  (c)  is  vacuously  true  since  X  must  be  empty. 

•  (E ,x:a;E  \=  i)  e  I:  We  must  show  that  T,]E,Eo  \=  i.  This  follows  by  applying 
(S- weaken)  from  §4.2.1  to  the  premise. 

□ 
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Theorem  C.5  (Completeness  of  PCFS  verification;  Theorem  5.12).  Suppose  that  E;  •;  E:  II 
\-v  V  4=  s  o  [u,u\.  Let  ctime  be  a  fresh  constant.  Then  there  exist  C  and  1  such  that  the 
following  hold. 

1.  E, ctime:time;  •;  •; II  \~u  V  -4=  s  o  [ctime, ctime]  \  C;Z. 

2.  For  each  (S',  ctime:time;  HI'  |=  d)  E  C,  it  is  the  case  that  E7;  \P7 [it /ctime]  |=  c7[ix/ctime] . 

3.  For  each  (E7,  ctime:time;  E'  \=  i')  E  T,  it  is  the  case  that  E7;  E,  E'[u/ ctime]  |=  x'fxx/ctime] 
Proof.  We  proceed  as  follows. 

1.  E;  •;  E;  H\~L'  V  -4=  s  o  [it,  u]  (Assumption) 

2.  E;  ■;  E\  n[u/ctime]  |~*d“/ctime]  y  <^=  s  Q  [ctime[ix/ctime],  ctime[?x/ctime]]  (ctime  is  fresh) 

3.  There  are  C  and  T  such  that  E,  ctime:time;  ■;  ■;Uhu  V  4=  s  o  [ctime,  ctime]  \  C;Z 

(Lemma  C.4  on  2) 

4.  (2)  holds  (Also  by  Lemma  C.4) 

5.  For  each  (E7,  ctime:time;  E'  |=  i')  E  Z,  it  is  the  case  that  E7;  E.  E'  \=  i' 

(Also  by  Lemma  C.4) 

6.  For  each  (E7,  ctime:time;  E'  \=  i!)  E  Z,  it  is  the  case  that  E7;  E,  E'[u/ct\me]  \=  i7[?x/ctime] 
(5;  E',i 7  cannot  contain  ctime) 

□ 


C.3  Proofs  from  §5.3 

Theorem  C.6  (Correctness;  Theorem  5.19).  If  E;  ZF;  IT  A  V  :  s  o  [1/1,112],  then 
E;f;B;nP  F  4=  so  [m, u2]. 

Proof.  By  induction  on  the  given  derivation  of  E;  \P;  E;  LI  — >  V  :  s  o  [1x1,  u2]  and  case  anal¬ 
ysis  of  its  last  rule.  Some  representative  cases  are  shown  below. 

E;  \P;  E;  II,  7T  :  k  claims  s  o  [iti,  ix2],  r  :  s  o  [txi,  tx2]  V  :  r  o  [u'i,  u'2\ 

v  =  k' ,  Ub,  ue  E;  'P  |=  1x1  <  Ub  E;  'P  |=  ue  <  tx2  E;  \P  |=  k  A  k' 

Case.  - - - - — - claims 

E;  \P;  E;  II,  n  :  k  claims  so  [m,  ix2]  — >  V\i r/r]  :  r  o  [u\ ,  u72] 

To  show:  E;  VP ;  E;  II,  it  :  k  claims  so  [xxi,  it2]  \~u  V[7t/t]  4=  r  o  [u\ ,  vif\ 

1.  E;  \P;  E;  II,  7r  :  k  claims  s  o  [1x1,  it2],  r  :  s  o  [ixi,  ix2]  V  4=  r  o  [u\ ,  it72] 

(i.h.  on  1st  premise) 


2.  E;  \P;  E;  II,  7r  :  k  claims  so  [m,  xx2]  \~u  vr  =>•  so  [ixi,  ix2] 
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(Rule  (claims)  on  premises  3-5) 
3.  E;  d';  E;  II,  7r  :  k  claims  so  [u\,  uq\  \~u  V\i r/r]  -4=  r  o  [u\ ,  u2]  (Theorem  5.7  on  2,3) 

E;  \V;  E;  II,  it  :  k  says  so  [m1,m2],t  :  ^  claims  s  o  [t/i,  7/2]  —>  V  :  r  o  [u\ ,  tz2] 

Case.  - - - - — - - saysL 

E;  \V;  E;  II,  n  :  k  says  s  o  [7/1,  t/2]  — >  saysE  7 r  ( t.V )  :  r  o  [ul5  7/2] 

To  show:  E;  \V;  E]  II,  7r  :  k  says  s  o  [7/1,  7/2]  saysE  7r  (t.C)  -4=  r  o  [u\ ,  t/2] 


1.  E;  \V;  E]  II,  7r  :  k  says  sofjijjU^rT  claims  s  o  [u\,  7/2]  \~u  V  -4=  r  o  [t/^,  tz2] 

(i.h.  on  premise) 

2.  E;  \V;  E;  II,  7r  :  k  says  so  [7/1,  7/2]  P"  n  = =>■  k  says  so  [7/1,  7/2 ]  (Rule  (hyp)) 

3.  E;  \V;  E;  II,  7r  :  k  says  so  [7/1,  7/2]  \-v  saysE  7r  (t.V)  -4=  r  o  [u\ ,  u2] 

(Rule  (saysE)  on  1,2) 


Case. 


E;  \R;  iE;  II,  7r  :  si  D  s2  o  [7/1,772]  ^  V\  :  si  o  [u^T/g] 

E; E;  IT,  7T  :  si  D  S2  o  [7/1,  t/2],  t  :  S2  o  [7/1,  t/2]  —>■  V2  :  r  o  [u'{,  tz2] 
E;  \V  |=  Tii  <  Tti  E;  \V  (=  u2  <  112 


-DL 


E;  \V;  E;  II,  7T  :  si  D  S2  o  [771,772]  V2[(impE  7r  Vi  77^  7/2)/t]  :  r  o  [7/",  t/2] 

To  show:  E;^;E;n,  7T  :  si  D  S2  o  [t7i,  772]  A  ^[(impE  7r  Vi  t/^  t/2)/t]  :  r  o  [77^,  772] 


1.  E;  \V;  E;  II,  7r  :  si  D  S2  o  [t7i,  772]  P1'  Vi  -4=  si  o  [77) ,  u2\  (i.h.  on  1st  premise) 

2.  E;  \V;  E;  II,  7T  :  si  D  S2  o  [t7i,  772]  \~v  7 r  =>■  si  D  S2  o  [771,7/2]  (Rule  (hyp)) 

3.  E;  'V;  E;  II,  7T  :  si  D  S2  o  [7/1,  t/2]  Pv  impE  7r  Vi  Tt)  t/2  =>■  S2  o  [77^,77^] 

(Rule  (dE)  on  2,1  and  3rd, 4th  premises) 

4.  E;  4/;  E;  II,  7T  :  si  D  S2  o  [7/1, 7/2],  r  :  S2  o  [77^,77^]  Pv  V2  4=  r  o  [77",  tz2] 

(i.h.  on  2nd  premise) 

5.  E;  \V;  E;  II,  7T  :  si  D  S2  o  [t/i,  7t2]  ^[(impE  7 r  Vi  77^  tz2)/t]  :  r  o  [77'/,  7/2] 

(Theorem  5.7  on  3,4) 


□ 
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D.l  Soundness  of  Goal-directed  Search 

Lemma  D.l.  I/S;d  o  [mi,m2]  «p  o  [m^m^]  \  Q;  ff  and  E;  'F;  1?;  A  A  Q,  then  Tj |= 
Mi  <  m)  and  E;  \F  |=  u2  <  u2. 

Proof.  By  induction  on  the  derivation  of  X;  d  o  [mi,m2]  <  p  o  [w.) ,  uy  \  Q;  ff  and  case 
analysis  of  its  last  rule.  The  interesting  cases  are  shown  below.  Note  that  the  cases  (FOi) 
and  (F-@)  do  not  apply  since  the  boolean  in  their  conclusions  is  always  tt. 


£;po  [ui,u2]  «p  o  [u\,u'2\  \  (mi  <  it'd  ::  (u'2  <  u2)  ::  [];ff 
To  show:  E;  \F  |=  u\  <  u\  and  S;  |=  u'2  <  m2. 

1.  S;  (ui  <  «i)  ::  (m'2  <  m2)  ::  [] 

2.  E;  ^  |=  ui  <  u\  and  E;  \F;  E;  A  A  (u^  <  u2)  ::  [] 

3.  E;  \F  |=  u2  <  u2 


F-init 


(Assumption) 
(Inversion  on  1) 
(Inversion  on  2) 


The  required  conclusions  are  contained  in  2  and  3. 

Cage  A  d2  o  [ui,u2]  «po  [u\ ,  '(4]  \  Q;  ff 

E;  gi  D  d2  o  [ui,u2]  «  p  o  [u^,  u'2]  \  (pi  o  K,  u2})  ::  Q;  ff 
To  show:  E;  'F  |=  mi  <  u\  and  E;  'F  |=  u2  <  u2. 

1.  E;$;£;AA(5loKlMy)  ::  Q 

2.  E;$;B;AAQ 

3.  E;  ^  |=  mi  <  u'i  and  E;  \F  |=  u2  <  u2 


F-D2 


(Assumption) 
(Inversion  on  1) 
(i.h.  on  premise  and  2) 


□ 
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Lemma  D.2.  Suppose  the  following  hold. 

1.  X;  d  o  [ui,U2\  «  p  o  [u\ ,  u2\  \  Q;  b 

2.  X;tf;E;r  A  Q 

Then, 

A.  b  =  ff  implies  X;  \k;  E;  T,  d  o  [u^,  u2\  A  p  o  ii2] 

B.  b  =  tt  implies  X;  \k;  E;  T,  d  o  [u&,  rte]  ^po  [u)  .  it2]  /or  eren/  Ub  and  ue. 

Proof.  We  prove  (A)  and  (B)  by  a  simultaneous  induction  on  the  derivation  given  in  (1). 

Proof  of  (A) 

We  case  analyze  the  last  rule  in  the  derivation  given  in  (1). 


Case 


£;po  [ui,U2\  «po  [u^u'z)  \  ( u\  <  u[)  ::  ( u2  <  u2)  ::  [];ff 
To  show:  S;$;P;r,po  [u\ ,  u'2\  ^po  [a\ ,  u'2\ 

1.  X;  'h  |=  u'±  <  u\  and  X;  'h  |=  u2  <  u2 

2.  S;$;P;r,po  [u[,u2\  ^po  [E, . u2] 


F-init 


((C-refl-time)  from  §4.2.1) 
(Rule  (init)  on  1) 


X;di  o  [ui,u2]  «po  K,^]  \  Q; ff 

Case.  - - - - - — — - F-Ai 

X;  di  A  d2  o  [u\,  u2]  «  p  o  u2]  \  Q;  ff 

To  show:  X;  \H;  E;  T,  d\  f\d2o  \u\ ,  u2]  ^po  [u) ,  u2] 

1.  X;  'h;  E;  T,  d\  o  [u) .  u2]  ^>po  [u( ,  u2]  (i.h.  (A)  on  premise  and  assumption  2) 

2.  X;  'h;  E;  T,  d\  A  d2  o  [u^,  u2],  di  o  ,  u2] ,  d2  o  [u^,  u2]  Apo  [u^,  u2] 

(Weakening  Theorem  4.8(ld)  on  1) 

3.  X;  \k;  E;  T,  di  A  d2  o  [u^,  u2]  ^po  [it^,  it2]  (Rule  (AL)  on  2) 

X;d2  o  [u!,u2]  «po  [ui,u2]  \  Q;ff 

Case.  - - - - - — — - F-A2 

X;  d±  A  d2  o  [«i,  u2]  «  p  o  [u, .  u2]  \  Q;  ff 

Similar  to  the  previous  case. 

X;  d2  o  [ui,u2\  «  p  o  [u( ,  t/2]  \  Q;  ff 


Case 


X;  giD  d2o  [ui,u2]  «  p  o  [ul5  u2]  \  (t/i  o  K,  u2])  ::  Q;  ff 
To  show:  X;  \k;  E;  T,  g\  D  d2  o  [u\ ,  u2]  p  o  [u^,  u2] 


Fo2 


1.  X;  'k;  E;  r 


(pi 0  K,^]) ::  Q 


(Assumption  2) 


252 


Appendix  D.  Proofs  from  §6 


2.  The  following  hold  (Inversion  on  1) 

(a)  gi  o  K,^] 

(b)  AQ 

3.  E;  \k;  E]  T,  d 2  o  [u^,  rt^]  ^  p  o  [u\ ,  ri2]  (i.h.  (A)  on  premise  and  2b) 

4.  E;  \k;  E\  T,  g\  D  rf2  0  1*2]  9i  0  \a\  ■  u2]  (Weakening  Theorem  4.8(ld)  on  2a) 

5.  E;  E;  T,  gi  D  d2  o  [u[,  u'2],  d2  o  K,  u'2]  ^po  [?4,  u'2] 

(Weakening  Theorem  4.8(ld)  on  3) 

6.  E;  T  [=  ri)  <  it)  and  E;  'k  |=  u2  <  u2  ((C-refl-time)  from  §4.2.1) 

7.  E;  \k;  E\  T,  g\  D  d2  o  [it^,  n2]  ^po  ['«( ,  rt2]  (Rule  (dL)  on  4-6) 

Ehf:cr  E;d[t/x]  o  [ui,^]  «P°  K,^2]  \  Q;ff_  w 

E;  \/x:a.d  o  [ui,u2]  «  p  o  [n1;  u2]  \  Q;  ff 

To  show:  E;  \k;  E]  T,  ^x:a.d  o  ['«(,  u2]  -^po  ,  ?/2] 

1.  E;  \k;  £1;  T,  d[t/x]  o  ['u( ,  u'2\  ^po  [u.) ,  it2]  (i.h.  (A)  on  premise  and  assumption  2) 

2.  E;  \k;  E\  T,  \/x:a.d  o  [u'±,  u2\,  d[t/x]  o  [«/1,'u2]  -^po  [ui,u2\ 

(Weakening  Theorem  4.8(ld)  on  1) 

3.  E;  \k;  E;  T,  Vx:cr.d  o  [rt^,  u2]  -^po  \n\ .  u2\  (Rule  (VL)  on  2  and  1st  premise) 

Proof  of  (B) 

We  case  analyze  the  last  rule  in  the  derivation  given  in  (1). 

E;di  o  [ui,u2\  «po  [ni,u2]  \  Q;tt 

Case.  - - - - - — — j- - F-Ai 

E;  d\  A  d2  o  [ui,u2\  «  p  o  [itj,  u2]  \  Q;  tt 

To  show:  E;  \k;  E]  T,  d\  A  d2  o  [ub,  ue)  ^po  [u\ ,  u2] 

1.  E;  'k;  E]  T,  di  o  [rtb,  mc]  -^po  [it) ,  u2]  (i.h.  (B)  on  premise  and  assumption  2) 

2.  E;  ^]E-,T,di  A  d2  o  [ub,ue],di  o  [ub,ue],d2  o  [ ub,ue\  ^  po  [u^u^j 

(Weakening  Theorem  4.8(ld)  on  1) 

3.  E;  \k;  E ;  T,  d\  A  d2  o  [ ub ,  ue]  —>■  p  o  [u'l:  u2]  (Rule  (AL)  on  2) 
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X;d2  °  [ui,u2]  «F  Wi,u'2}  \  Q;tt 

Case.  - - - - - — — t- - F-A2 

X;  di  Ad-2  °  [ui,U2\  «  p  o  [«i,u2]  \  Q;  tt 

Similar  to  the  previous  case. 

X;  d2  o  [tti,  u2\  «po  [vi| .  ?/2]  \  Q;  tt 


Case 


X;pi  D  d2  o  [ui,u2]  «po  \  (c/i  o  </>)  ::  Q;  tt 

To  show:  X;  \k;  E;  T;  g\  D  d2  o  [ub,  ue\  p  o  [u^,  u2] 


FOi 


1.  X;\H;.E;r  A  (r/i  o  (f>)  ::  Q  (Assumption  2) 

2.  The  following  hold  (Inversion  on  1) 

(a)  X;f;£;r^5lo^ 

(b)  X;f;J?;r^Q 

3.  X;  'h;  E;  T,  d2  o  cf>  A  p  o  [ri( ,  t/2]  (i.h.  (B)  on  premise  and  2b,  choosing  [ub,  ue]  =  0) 

4.  X;  TF;  T,  g\  D  d2  o  [?/&,  we]  ^  g\  o  (j)  (Weakening  Theorem  4.8(ld)  on  2a) 

5.  X;  'k;  E;  T,  gi  D  d2  o  [ Ub ,  ue],  d2  o  (f>  A  p  o  ['«.( ,  u2]  (Weakening  Theorem  4.8(ld)  on  3) 

6.  X;  4/  |=  Ub  <  oo  and  X;  \k  |=  —  oo  <  ue  ((C-refl-time)  from  §4.2.1) 

7.  X;  \H;  E;  T,  g±  D  d2  o  (ufe,  af]  4po  [u) ,  u2]  (Rule  (dL)  on  4-6;  </>  =  [+oo,  —  oo]) 


X  h  t  :  (T  X;d[i/x]  o  [mi,u2]  «po  [ui,u2]  \  Q;tt 

Case.  - - - - - — — - F-V 

X;  \/x:a.d  o  [u\,u2\  <p  o  [ii1;  u2]  \  Q;  tt 

To  show:  X;  \k;  E;  T,  Mx'.a.d  o  [ub,  ue]  —>  p  o  ['«/, ,  u2] 

1.  X;  'I';  E]  T,  d[t/x\  o  [ub,ue]  ^po  \u\ ,  vi2]  (i.h.  (B)  on  premise  and  assumption  2) 

2.  X;  \k;  £1;  T,  V x\o.d  o  [ Ub ,  ite],  d[i/x]  o  [rtb,  ite]  4po  [u^,  u2] 

(Weakening  Theorem  4.8(ld)  on  1) 

3.  X;  4/;  E\  T,  Mx:cr.d  o  [ub,  ue]  — >  p  o  [u'l5  rt2]  (Rule  (VL)  on  2  and  1st  premise) 

Case  X;  d  o  [<,  <]  «p°  [<,  ^2]  \  Q;  &  F  q 

X;  d  @  [it",  tt2]  o  [ui,u2\  «  p  o  [i^,  u2]  \  Q;  tt 
To  show:  X;  'k;  E;  T,  d  @  [u'{,  tt2]  o  [it6,  rte]  f?po  [it^,  u2] 


1.  Case  analysis  of  b. 

•  Case:  b  =  tt 

(a)  X;  'P;  E-  T,  d  o  [u'{,  <]  ^po  K,  u'2] 
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(i.h.  (B)  on  premise  and  assumption  2  choosing  [v,b,ue]  =  [v/( ,  u2] ) 


•  Case:  b  =  ff 

(a)  S;f;P;r,do  [u[,u'2]  p  o  K,  u'2] 


(i.h.  (A)  on  premise  and  assumption  2) 


(b)  X;  'I'  |=  u'{  <  u\  and  X;  'P  |=  u2  <  u2 


(Lemma  D.l  on  premise  and  assumption  2) 
tu'2\  (Identity  Theorem  4.13  using  b) 


X;  'P;  E;  T,  d  o  [u",  u2\  ^p  o  [u'uu'2\ 


(Cut  Theorem  4.12  on  c,a) 
(Result  of  case  analysis) 


3.  X;  <P;  E;  T,  d  @  [u'{,  u'2 ]  o  [ub,  ue\  ^  p  o  [n'l5  u'2\ 


(Weakening  Theorem  4.8(ld)  on  1) 
(Rule  (@L)  on  2) 


□ 


Lemma  D.3  (Soundness  of  F-sequents;  Lemma  6.1).  Suppose  the  following  hold. 

1.  X;  d  o  [ui,U2\  «  p  o  [u\ ,  u2]  \  Q;  b 

2.  A  Q 

Then,  X;  \P;  E;T,d  o  [rq,  u2\  —>  p  o  [v!^  u2]. 

Proof.  We  case  analyze  b. 

Case,  b  =  tt. 

1.  Y,;'k]E;r,do[ui,U2\^->po[u'1,u2\ 

(Lemma  D.2(B)  on  assumptions  1,2  choosing  [ub,ue]  =  [ui,u2]) 

Case,  b  =  ff. 

1.  X;  'P;  E]  T,  d  o  [u\ ,  u'.f\  \u\ ,  u2]  (Lemma  D.2(A)  on  assumptions  1,2) 

2.  X;  \P  |=  «i  <  u\  and  X;  \P  |=  u2  <  u2  (Lemma  D.l  on  assumptions  1,2) 

3.  X;  VP ;  E;  T,  d  o  [u\,u2]  —>  d  o  [u\ ,  u2]  (Identity  Theorem  4.13  on  2) 

4.  X;  'P;  E]  T,  d  o  [iti ,  it2]  p  °  [u\ ,  u'2]  (Cut  Theorem  4.12  on  1,3) 


□ 


Theorem  D.4  (Soundness;  Theorem  6.2).  The  following  hold. 
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A.  X;  Ik;  Pi;  A  g  o  [mi,  1*2]  implies  X;  \I/;  E;  A  —>  g  o  [mi,  ri2] 

B.  X;  \I/;  Pi;  A;  E  <^=  5  o  [iti ,  it2]  implies  X;  \k;  E ;  A,  |S|  A  5  o  [mi,  M2] 

C.  X;  Pi;  A  ^  p  o  [mi,  M2]  implies  X;$;P;A  [mi,  M2] 

X).  X;  \k;  E;  A  =^-  Q  implies  X;  \k;  Pi;  A  Q 

Proof.  By  simultaneous  induction  on  given  derivations  and  case  analysis  of  the  last  rules  in 
them.  We  show  some  representative  cases  below. 


E^-E-A\k^go[Ul,u2)  „ 

Case.  - - - R-says 

X;  \k;  E;  A  =>■  P  says  g  o  [14,  rt2] 

To  show:  X;  \k;  Pi;  A  k  says  g  o  [mi,  tt2] 


1.  X;  \k;  Pi;  A| 


2.  X;  Ik;  Pi;  A 


k,U\,U2 


^  g  o  mi,m2J 


P  says  5  o  [mi,  it2] 


(i.h.  on  premise) 
(Rule  (saysR)  on  1) 


X; Pi;  A,  P  claims  do  [mi ,  M2] ;  S  <^=  g  o  [m^,  m2] 

Case.  - r - : — 77 - — - — — L-says 


(i.h.  on  premise) 


Case 


X;  \k;  E;  A;  5  ::  (P  says  do  [mi,  M2])  -4=  g  o  [ui,u2] 

To  show:  X;  'h;  Pi;  A,  |S|,  k  says  d  o  [i/i ,  112]  ^>30  [a\ ,  u'2} 

1.  X;  \k;  Pi;  A,  P  claims  d  o  [mi,  M2],  |S|  —>  g  o  [u\ .  u'2\ 

2.  X;  \k;  Pi;  A,  k  claims  d  o  [mi,  M2],  |S|,  P  says  d  o  [it!,  u2]  — ►  g  0  [m(  , m2] 

(Weakening  Theorem  4.8(ld)  on  1) 

3.  X;  \k;  Pi;  A,  |S|,  k  says  d  o  [mi,  M2]  —>■  g  o  [m^,  m2]  (Rule  (saysL)  on  2) 

do[ui,U2]€A  X;  d  o  [mi,  m2]  <C  p  o  [m'15  m2]  \  Q;  b  X;f;£;A4-  Qj 

X;  4pPi;  A  &p  o  [u\ ,  m2] 

To  show:  X;  \k;  Pi;  A  —>  p  o  [m'1;  m2] 


-N-clause 


1.  X;  'k;  Pi;  A  A-  Q  (i.h.  on  3rd  premise) 

2.  X;  \k;  Pi;  A,  d  o  [mi,  M2]  p  o  [m) .  xx2]  (Lemma  D.3  on  2nd  premise  and  1) 

3.  X;  'k;  Pi;  A  A  p  o  [m( .  m2]  (Contraction  Theorem  4.8(2)  on  2  using  1st  premise) 

P  claims  d  o  [m1;m2]  €  A  u  =  ko,Ub,ue 
X;  \k  |=  k  >z  Pq  X;  |=  mi  <  Mfe  X;  \k  |=  ue  <  M2 


Case. 


X;  d  o  [mi,m2]  «po  [m(  ,  m2]  \Q;b  X;  Vk;  Pi;  A  =4>  Q 


X;$;P;A^>po  [m'i,m2] 
To  show:  X;  \k;  Pi;  A  Apo  [m^,  m2] 


N-claims 
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2.  E;  'L;  Li;  A,  d  o  [u\,  u2]  —>■  p  o  \u'l:  u'2\ 

3.  E;$;P;A4po  K,?4] 


1.  E;  Q 


(i.h.  on  7th  premise) 
(Lemma  D.3  on  6th  premise  and  1) 
(Rule  (claims)  on  2  and  lst-5th  premises) 


□ 


D.2  Properties  of  Goal-directed  Search 

Lemma  D.5  (Weakening).  The  following  hold. 

1.  If  E;  'L;  Li;  A  g  o  [u\,  u2\  then 

(a)  E,  x:cr;  'L;  Li;  A  g  o  [u\,  u2] 

(b)  E;  \k,  c;  Li;  A  4-  g  o  [iti,u2] 
fcj  E;$;£,!;A4jo  [«i,«2] 

(d)  E;  \k;  Li;  A,  J  =4>  g  o  [ui,u2] 

If  E;  \k;  Li;  A  Q  then 

(a)  E,  x:cr;  ik;  Li;  A  Q 

(b)  S;  \k,  c;  Li;  A  Q 
fcj  E;  *;£,*;  A  Q 
(d)  E;  \k;  Li;  A,  J  Q 

3.  If  E;  A\E  <=  g  o  [ui,u2]  then, 

(a)  T,,x:a-,^-,E-,A-,E^=go[ui,u2] 

(b)  E;  'L,  c;  Li;  A;  S  <^=  g  o  [«i,  it2] 

(cj  E;  \k;  Li,  i;  A;  S  <=  g  o  [«i,  tt2] 

(d)  E;  'L;  Li;  A,  J;  H  <^go  [ui,  u2] 

// E; 'L;  Li;  A  p  o  [«!,  «2]  t/ien 

fa)  E,  x:cj;  'L;  Li;  A  p  o  [m,  a2] 

(b)  E;f,c;  L;A<S>po  [tti,  n2] 

(c)  E;  \k;  E,  i\  A  <S>  p  o  [iil5  ?/2] 

(d)  E;\H;Li;A,  J  <£>  p  o  [ui,u2] 

5.  If  E;  d  o  [ui,u2]  <C  p  o  [a) ,  n2]  \  Q‘,b  then  E,  x:er;  d  o  [«!,  ri2]  <C  p  o  [rtf,  a2]  \  Q;  b 
Further,  all  constructed  derivations  have  depths  less  than  or  equal  to  those  of  given  deriva¬ 


tions. 
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Proof.  (5)  follows  by  induction  on  the  given  derivation,  (la),  (2a),  (3a),  and  (4a),  then 
follow  by  a  simultaneous  induction  on  given  derivations.  Similarly,  (lb)-(4b),  (lc)-(4c), 
and  (ld)-(4d)  follow  by  separate  simultaneous  inductions.  □ 

Lemma  D.6  (Constraint  substitution).  Suppose  X;  41  |=  c.  Then  the  following  hold. 

1.  X;  'h,  c;  E]  A  g  o  [u\,  uf\  implies  X;  'h;  E\  A  g  o  [u\,  U2] 

2.  X;  \h,  c;  E]  A  =4-  Q  implies  X;  E\  A  =4>  Q 

3.  X;  \H,  c;  E]  A;  S  <^=  5  o  [rti,  rt2]  implies  X;  \h;  E;  A;  X  <^=  5  o  [iq,  u2] 

X;  \H,  c;  E;  A  <S>  p  o  [ui,  uf\  implies  X;  \h;  E\  A  <S>  p  o  [u\,  U2] 

Proof.  By  simultaneous  induction  on  given  derivations  and  case  analysis  of  their  last  rules. 
For  the  cases  of  rules  (R-cons),  (Q-leq),  and  (N-claims)  we  appeal  to  assumption  (C-cut) 
from  §4.2.1,  as  in  the  proof  of  Lemma  B.3.  □ 

Lemma  D.7  (View  subsumption).  Suppose  the  following  hold: 

1.  v  =  k0,ub,ue 

2.  X;  'h  |=  fco  V  k'0,  X;  'h  |=  ub  <  u'b,  and  X;  'P  |=  u'e  <  ue. 

3.  =  k'0,u'b,u'e 
Then, 

A.  X;  \P;  E\  A  =4-  g  o  [u\,U2]  implies  X;  \P;  E;  A  g  o  [ui,U2]  by  a  derivation  of  less  or 
equal  depth. 

B.  X;  \P;  E\  A  Q  implies  X;  \P;  E\  A  Q  by  a  derivation  of  less  or  equal  depth. 

C.  X;  \P;  E\  A;  H  £=  g  o  [ui,  U2}  implies  X;  \P;  E]  A;  S  <=  g  o  [rti,  U2]  by  a  derivation  of  less 
or  equal  depth. 

D.  X;  \P;  E\  A  &  p  o  [iq,  u2]  implies  X;  f ;  B;  A  &  p  o  [u\,U2]  by  a  derivation  of  less  or 
equal  depth. 

Proof.  By  simultaneous  induction  on  derivations  given  in  (A)-(D)  and  case  analysis  of 
their  last  rules.  The  only  interesting  case  is  (N-claims),  where  we  appeal  to  assumptions 
(C-trans-time)  and  (C-trans-prin)  from  §4.2.1.  □ 

Lemma  D.8  (Time  subsumption).  Suppose  X;\P  |=  u\  <  u\  and  X;\P  |=  u2  <  U2-  Then 
the  following  hold. 

1.  IfTi^do  [u'{,  u2]  «po  [ui,U2]  \  Q;b  and  X;\P;iB;  A  Q  then  there  is  a  Q!  such 
that  X;  d  o  [ u'{ ,  u2\  <Cpo  [u\ ,  u'.f\  \  Q'\  b  and  X;  \P;  E]  A  Q' . 
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2.  X;  \h;  E]  A  &  p  o  [txi,  7x2]  implies  X;  \I/;  E\  A  p  o  [a\ .  u'2] 

3.  X;  \H;  E;  A  g  o  [txi,  7x2]  implies  X;  E\  A  =4>  g  o  [u\ .  u2\ 

4-  X;  d';  E\  A;  S  <^=  5  o  [7x1,  U2]  implies  X;f;P;A;S  o  [tx^,  tx2] 

Proof.  (1)  follows  by  an  induction  on  the  given  derivation  of  X;  d  o  [tx",  u2]  <Cpo  [7x1, 7x2]  \ 
Q;  b.  Proof  of  (2)  is  shown  below.  (3)  and  (4)  then  follow  by  a  simultaneous  induction  on 
the  depths  of  the  given  derivations  and  case  analysis  of  last  rules,  using  (2)  for  the  case 
of  rule  (R-N).  Further  Lemma  D.6  is  needed  for  the  case  of  rule  (Ro)  and  Lemma  D.7  is 
needed  for  the  case  of  (R-says),  as  in  the  proof  of  Theorem  4.11.  (Note  that  the  induction 
must  be  on  the  depth  of  derivations,  not  on  the  structure  of  derivations,  because  in  the  case 
of  rule  (R-says),  we  appeal  to  the  i.h.  after  using  Lemma  D.7.) 

Proof  of  (2).  We  case  analyze  the  rule  used  to  derive  X;  'R ;  E]  A  p  o  [7x1, 7x2]. 


Case. 


d  o  K,  7x2]  6  A  X;do  [tx",  u2]  <Cp  o  [txi,  7x2]  \  Q:  b  X;  4X;  E\  A  =4>  Q 

X;  E]  A  p  o  [7x1,  tx2] 


N-clause 


To  show:  X;  E]  A  p  o  [tx) ,  7X3] 
1.  There  exists  Qf  such  that 


(a)  X;do  [tx", 7x'2']  «  p  o  [xxi, tx'2]  \  Qf\  b 


(b)  X;^;S;A^  Q' 

2.  X;  E]  A  p  o  [txj_ ,  u2\ 


(Clause  (1)  of  theorem  on  2nd  and  3rd  premises) 
(Rule  (N-clause)  on  1st  premise,  la,  lb) 


Case. 


k  claims  d  o  [tx",  u2]  E  A  v  =  ko,  tx&,  ue 
X;  4x  |=  k  y  ko  X;  |=  tx"  <  Ub  X;  \h  (=  7ie  <  u2 
X;  d  o  [tx",  7x2]  «  p  o  [txi,  7x2]  \  Q;b  X;  \h;  E;  A  4-  Q 
X;$;P;A<S>po  [txi, 7x2] 


N-claims 


To  show:  X;  \h;  E;  A  p  o  [tx^,  tx2] 


1.  There  exists  Q'  such  that 

(a)  X;do  [tx",  tx2]  «po  [tx',  ,  tx2]  \  Q';  b 


(b)  X;tf;.E;A^  Q' 

2.  X;  T;  A;  A  p  o  [u\ ,  tx2] 


(Clause  (1)  of  theorem  on  6th  and  7th  premises) 
(Rule  (N-claims)  on  1st— 5th  premises,  la,  lb) 


□ 


Lemma  D.9  (Left  subsumption  for  F-sequents).  Suppose  the  following  hold: 

1.  X;do  [7x1,  tx2]  «  p  o  [txj,  tx2]  \  Q;  6 

2.  X;f;B;A^Q 
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3.  E;  4*  |=  u'{  <  and  E;  4*  |=  m2  <  m2 
Then,  there  is  a  Qf  such  that 
A.  E;do  [- u'{ ,  M2]  <C  p  o  [mj,  m2]  \  Q';  6 
5.  E;f;£;A^  Qf 

Proof.  By  induction  on  the  given  derivation  of  E;  d  o  [mi,  m2]  «po  [u\ ,  m2]  \  Q;  6  and  case 
analysis  of  its  last  rule.  The  only  interesting  case  is  shown  below. 


Case. 


S;po  [mi,m2]  «po  [mi,m'2]  \  (mi  <  u[)  ::  (m2  <  u2)  ::  [];ff 


F-init 


To  show:  There  is  Qf  such  that  (A)  and  (B)  hold  (with  d  =  p).  We  claim  that  Q '  = 
K  <  m()  ::  (m2  <  m2)  ::  []  satisfies  these  properties.  (A)  follows  immediately  from  rule 
(F-init).  (B)  is  proved  as  follows. 


1.  E;  41;  E;  A  (mi  <  u'f)  ::  (m2  <  u2)  ::  []  (Assumption  2) 

2.  E;  'h  |=  Mi  <  u[  and  E;  4*  |=  m2  <  m2  (Inversion  on  1) 

3.  E;  'h  |=  m"  <  u\  and  E;  4^  |=  m2  <  m2 

((C-trans-time)  from  §4.2.1  on  2  and  assumption  3) 

4.  E;\h;F!;A  =4>  {u'[  <  m( )  ::  (m2  <  m2)  ::  []  (Rules  (Q-[])  and  (Q-leq)  on  3) 


□ 

Lemma  D.10.  If  E;  d  o  [mi,  m2]  «  p  o  [u\ ,  m2]  \  Q;  ff  and  E;  41;  E\  A  =4*  Q,  then  E;  4^  |= 
Mi  <  u\  and  E;  \h  |=  m2  <  u2. 

Proof.  By  induction  on  the  derivation  of  E;  d  o  [mi,m2]  <  p  o  [u\ ,  m2]  \  Q;  ff  and  case 
analysis  of  its  last  rule.  The  interesting  cases  are  shown  below.  Note  that  the  cases  (FOi) 
and  (F-@)  do  not  apply  since  the  boolean  in  their  conclusions  is  always  tt. 

C&SGi  _ 

E;po  [mi,m2]  «po  [u\ ,  m2]  \  (mi  <  m'i)  ::  (m2  <  m2)  ::  [];ff 

To  show:  E;  4/  \=  u\  <  u[  and  E;  4*  |=  m2  <  u2. 

1.  E;  4';  E;  A  =4>  (mi  <  m'x)  ::  (m2  <  u2)  ::  [] 

2.  E;  4^  |=  mi  <  m'i  and  E;  41;  E\  A  (m2  <  m2)  ::  [] 

3.  E;  4*  |=  m2  <  m2 
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The  required  conclusions  are  contained  in  2  and  3. 


Case 


£;  d2  o  [ui,u2]  «p°  [u[ ,  u2]  \Q:  ff 


£;  giD  d2o  [ui,u2]  «p°  K,  u2]  \  (gi  o  K,  rt^])  ::  Q;  ff 
To  show:  E;  \k  |=  rq  <  u\  and  E;  \k  |=  u2  <  u2. 


Fo2 


1.  E;^;E;A^(5lo  [ui,^])  ::  Q 

2. 

3.  E;  \k  |=  «i  <  u\  and  E;  \k  |=  u'2  <  u2 


(Assumption) 
(Inversion  on  1) 
(i.h.  on  premise  and  2) 


□ 


Lemma  D.ll  (Admissibility  of  (dL)).  Suppose  the  following  hold: 

1.  E;f;B;A,3Ddo  [u\,u2]  =>  g  o  [u\ ,  u2] 

2.  E;  'I'  |=  u\  <  u\  and  E;  dt  |=  u2  <  u2 
Then, 

A.  E;  'P;  E;  A,  g  D  d  o  [ui,u2],d  o  [u\ ,  u2]  =$■  g"  o  [u'[,u2]  implies  E;  E\  A,  g  D  d  o 
[Ul,u2\^g"o[u'{,u'f\ 

B.  E;  \k;  E\  A,  g  D  d  o  [ui,  u2\,  d  o  [a\ ,  v!<f\  =4>  Q  implies  E;  \k;  E;  A,  g  D  d  o  [u\,  u2\  Q 

C.  E;\h;  E;  A,  g  D  d  o  [ui,u2],d  o  <^=  g"  o  [u±,u2]  implies  E;  \k;  E;  A, g  D  d  o 

lu1,u2};E^g"o[u",u"\ 

D.  E;  'h;  E;  A,  g  D  d  o  [ui,un],d  o  [u\ ,  u2\  &  p"  o  [uf,u2]  implies  E;^;  E;  A,  g  D  d  o 
[u1,u2\&p"o[u'',u'f] 

Proof.  By  simultaneous  induction  on  the  depths  of  the  derivations  given  in  (A)-(D)  and 
case  analysis  of  the  last  rules  in  them.  The  cases  in  (A),  (B),  and  (C)  are  straightforward 
-  we  apply  the  induction  hypothesis  to  the  premises  of  the  last  rule  and  reapply  the  rule. 
In  order  to  apply  the  induction  hypothesis  to  the  premises  of  the  rules  (L-clause),  (L-cons), 
(L-inter),  and  (L-3)  in  the  proof  of  (C),  we  appeal  to  Lemma  D.5  to  weaken  the  given 
derivation  of  E;  'k;  E;  A,  g  D  d  o  [u\,u2\  g  o  [u\ .  u2]  appropriately.  The  cases  in  the  proof 
of  (D)  are  shown  below. 

d'  o  [u3,u4]  G  (A,  5  D  d  o  [ui,u2],do  [u'^u^ ]) 

E;  d'  o  [u3,  u4]«P°  [u3,  ui]  \  2;  b 

E;^;E-  A,g  D  d  o  [ui,u2],d  o  [u^u^]  Q 

Case.  - - — - — - - — — N-clause 

E;$;£;A,pDdo  [ui,u2],do  [u^u^  [u3,uA] 

To  show:  E;  E\  A,  g  D  do  [u\ ,  u2\  &  p  o  [u3,  u^].  We  consider  three  subcases  on  the 
1st  premise  and  b: 

Subcase,  d'  o  [u3,  U4]  G  (A,  g  D  d  o  [ui,u2]) 
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1.  dl  o  [u3,  it4]  £  (A,  jDcio  [ui,  u2]) 

2.  X;  d!  o  [tt3,  u4]  <  p  o  [tt'3,  rt^] 

3.  E;f;P;A,3Drfo  [itj. , it2]  ^  Q 

4.  E;^;E;A,5  D  do  [ui,u2]  «-po  [u3,  u4] 


(Subcase  assumption) 
(2nd  premise) 
(i.h.  on  3rd  premise) 
(Rule  (N-clause)  on  1-3) 


Subcase,  d'  o  [tt3,  u4]  =  d  o  [u[,  u2\  and  b  =  tt.  So,  d!  =  d,  ti3  =  u4,  and  tt4  = 

1.  E;^;P;A,3Ddo  [u4,u2]  Q  (i.h.  on  3rd  premise) 

2.  X;  d  o  [u) ,  M2]  «  p  o  [u3,  u4]  \  Q;  tt  (2nd  premise  and  subcase  assumption) 


3.  X;  \h  |=  u\  <  u\  and  X;  \h  |=  u2  <  u2 

4.  There  is  a  Q7  such  that 

(a)  E;do  [u4, u2]  «  p  o  [u3, tt4]  \  Q7; tt 

(b)  S;^;£i;A,p  D  do  [ui,u2\  ^  Q! 

5.  X;  g  D  d  o  [m,  u2\  «  p  o  [u'3,  u4]  \  (p  o  0)  ::  Q7;  tt 

6.  X;  \h;  E;  A,  g  D  d  o  [it4 ,  u2]  =>  g  o  </> 

7.  A,g  D  do  [ui,u2]  ^  (g  o  (/))::  Q1 


(Assumption  2) 


(Lemma  D.9  on  1-3) 
(Rule  (FOi)  on  4a) 
(Lemma  D.8  on  assumption  1) 
(Rule  (Q-goal)  on  4b  and  6) 
(Rule  (N-clause)  on  5,7) 


8.  X;  \H;  E]  A,  g  D  d  o  [14,  u2]  p  o  [u3,  u4] 

Subcase,  d'  o  [rt3,  u4]  =  d  o  [w4,  u2]  and  b  =  ff .  So,  d!  =  d,  U3  =  u\ .  and  tt4  =  u2. 

1.  X;\h;i7;A,p  D  do  [u4,u2]  Q  (i.h.  on  3rd  premise) 

2.  X;  d  o  [tti,  u2]  «  p  o  [u3,  u4]  \  Q;  ff  (2nd  premise  and  subcase  assumption) 

3.  X;  \h  |=  «i  <  u'i  and  X;  \h  |=  u2  <  u2  (Assumption  2) 

4.  There  is  a  Q 7  such  that 

(a)  X;  d  o  [ui,u2\  «  p  o  [u3,  tt4]  \  Q7;  ff 

(b)  X;$;L;A,5Ddo  [m!,u2]  Q' 

5.  X;pdo[wi,u2]«po  [u3,  u'4]  \  (g  o  [u'3,  u4])  ::  Q7;  ff 

6.  X;  |=  u\  <  u3  and  X;  \h  |=  u4  <  u2 

7.  X;  E]  A,  g  D  d  o  [rt4,  u2]  p  o  [tt3,u4]  (Lemma  D.8  on  6  and  assumption  1) 

8.  X;  \h;  E]  A,  g  D  d  o  [14,  ii2]  =>  (g  o  [u3,  u4])  ::  Q7  (Rule  (Q-goal)  on  4b  and  7) 

9.  X;  \h;  E]  A,  g  D  d  o  [it4,  -u2]  p  o  [u3,  u4]  (Rule  (N-clause)  on  5,8) 


(Lemma  D.9  on  1-3) 
(Rule  (Fo2)  on  4a) 
(Lemma  D.10  on  1,2) 
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P  claims  d!  o  [7x3,  7/4]  £  (A,  g  D  do  [7x4,  tx2],  d  0  [7x4,  7X2])  1/  =  Po,  7X6,  7xe 

E;  d'  [=  k  P  ko  E;  \H  |=  7x3  <  ub  E;  d'  \=  ue  <  7x4 

E;  d!  o  [tx3,  u4]«po  [1*3, 1*4]  \  Q;  ft 
E;  \h;  Pi;  A,g  D  d  o  [14,  tx2],  d  o  [tx] ;  tx2]  =4>  Q 

SG.  - 

E;  Pi;  A,  <7  D  d  o  [744,7x2],  do  [7X4,  tx2]  <£>  p  o  [7x3,144] 

To  show:  E;  HI;  Pi;  A,g  D  d  o  [744,742]  Opo  [743, 7X4] 


N-claims 


1.  P  claims  d'  o  [743,744]  £  A 


(Follows  from  1st  premise) 


2.  E;  \H;  Pi;  A,  g  D  d  o  [7x1, 7x2]  Q  (i.h.  on  7th  premise) 

3.  E;'!';  Pi;  A,  g  D  do  [744,7x2]  «-po  [743,7X4] 


(Rule  (N-claims)  on  1,  2nd-6th  premises,  and  2) 


□ 


Lemma  D.12  (Admissibility  of  (claims)).  Suppose  the  following  hold: 

1.  v  =  k0,ub,ue 

2.  E;  d4  [=  Pq  y  Po 

3.  E;  Ux  |=  u'b  <  ub 

4.  E;  |=  7Xe  <  Tig 
Then, 

A.  E;  VH;  Pi;  A,  k'0  claims  d'0  o  [74^,  u'e],d'0  o  [74J,,  74g]  g  o  [7x4, 7x2]  implies  E;  ^X;  Pi;  A,  Pq  claims 
do  0  KX]  =>  9  0  [«1,«2] 

B.  E;  dr;  Pi;  A,  Pq  claims  dg  o  [74^,  tx^],  d'0  o  [tx],,  tx),]  Q  implies  E;  \IX;  Pi;  A,  P(,  claims  d'0  o 

KXXQ 

C.  E;  \h;  Pi;  A,  Pq  claims  d'0  o  [74^,  u'e],d'0  o  [74J,,  tx],] ;  E  g  o  [744 , 7x2]  implies  E;  ;  PE;  A,  Pq  claims 

0  K»7Xe];H  <^gO  [744,7X2] 

D.  E;  \h;  Pi;  A,  k'0  claims  d'0  o  [74],,  v!e },d'0  o  [74J,,  74g]  &  p  o  [744, 7x2]  implies  E;  HX;  Pi;  A,  Pq  claims 
d0  0  KXe]  NX 

Proof.  By  simultaneous  induction  on  the  depths  of  derivations  given  in  (A)-(D)  and  case 
analysis  of  their  last  rules.  The  interesting  cases  are  shown  below. 


E;  Pi;  (A,  k’0  claims  d'0  o  [u'b,  u'e\,d'0  o  [u'b,  u'e})\  g  o  [7x4,  tx2] 

E;  \h;  Pi;  A,  k'0  claims  d'0  o  [745,  T4g],  dg  o  [ta^,  74g]  P  says  5  o  [7x4, 7x2] 
To  show:  E;  'h;  Pi;  A,  Pq  claims  d'0  o  [74^,  7x'e]  =4>  P  says  go  [7x4, 7x2] 


Case. 


R-says 
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1.  (A ,k'0  claims  d'0  o  [u'b,u'e\,d 'Q  o  [u'b,u'e])\  =  (A ,k'0  claims  d'0  o  [u'b,u'e\ 


(Definition) 


2.  E;  'P;#;  (A,  k'0  claims  d'0  o  [u'b,u'e])\  g  0  [ui,u2\ 

3.  E;  \P;  E]  A,  k'0  claims  d'0  o  [ub,  u'e]  k  says  g  o 

do  [tti,it2]  G  (A,  fcg  claims  d'0  o  [u'b, rtg], dp  o  [ub,  w^]) 
E;  d  o  [ui,u2]  «  p  o  [t/,  ,  n2]  \  Q;b 
E;  \P;  £)  A,  fcg  claims  dg  o  [rtb,  w'e],  dg  o  [u'b,  u'e ]  =4>  Q 


Case. 


(Premise  and  1) 
(Rule  (R-says)  on  2) 


-N-clause 


E;  'P;  Pi;  A,  fcg  claims  dg  o  [w'6,  <],  dg  o  [u'6,  «(,]  <£>  p  o  [u'1;  u'2] 

To  show:  S;  'P;  E\  A,  fcg  claims  d'0  o  [ttb, '«.(,]  p  o  [u\ ,  u2].  We  consider  two  subcases  on 
the  1st  premise. 


Subcase,  d  o  [14,  u2]  G  (A,  k'0  claims  d'0  o  [ub,  u'e ]) 

1.  do  [«i,w2]  G  (A,  fcg  claims  dg  o  [ub,  Up]) 

2.  E;  d  o  [iti,  it2]  «po  [it) ,  u'2]  \  Q;b 

3.  E;  'P;  E\  A,  fcg  claims  d'0  o  [u),  it'e]  Q 

4.  E;  \P;  E;  A,  fcg  claims  dg  o  [ub,  u'e]  &  p  o  [a\ ,  v!2] 


(Subcase  assumption) 
(2nd  premise) 
(i.h.  on  3rd  premise) 
(Rule  (N-clause)  on  1-3) 


Subcase,  d  o  [u\,u2]  =  dg  o  [ub,u'e].  Therefore,  d  =  dg,  u\  =  ub,  and  u2  =  u'e. 
1.  fcg  claims  dg  o  [u'b,  u'e]  G  (A,  k'0  claims  dg  o  [v!b,  u'e]) 


2.  v  =  k0,ub,ue 

3.  E;  \P  |=  /eg  y  fcg 

4.  E;  \P  |=  u'b  <  ub 

5.  E;  \P  |  =  ue  <  u'e 

6.  E;  dg  o  [u'b,  u'e]  «  p  o  [u) ,  u'2]  \Q;b 

7.  E;  \P ;E;  A,  k'Q  claims  d'0  o  [it'b,  u'e]  Q 

8.  E;  \P;  E]  A,  k'Q  claims  dg  o  [ub,  u'e ]  ^p  o  [it) ,  u2] 


(Assumption  1) 
(Assumption  2) 
(Assumption  3) 
(Assumption  4) 
(2nd  premise  and  subcase  assumption) 
(i.h.  on  3rd  premise) 
(Rule  (N-claims)  on  1-7) 


k  claims  d  o  [u\,  u2\  G  (A,  k'0  claims  dg  o  [ub,  v!e],  dg  o  \ub,  ue\)  v  =  ko,ub ,  ue 
E;  'P  |=  k  ko  E;  'P  \=  u\  <  ub  E;  *P  |=  ue  <  u2 

E;  d  o  [ui,  u2]  «  p  o  [a\ ,  u2]  \  Q;b 

E;  \P;  E;  A,  k'0  claims  dg  o  [ub,  i/e],  dg  o  [itb,  i/e]  =4-  Q 

SG.  - 

E;  'P;  E\  A,  fcg  claims  d'0  o  [u'fe,  w'e],  dg  o  [u'b,  ue]  &  p  o  [a\ ,  u'2\ 

To  show:  E;  'P;  E]  A,  k'0  claims  dg  o  [ub,  u'e]  &  p  o  [u\ . '(/(,] 


N-claims 
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1.  k  claims  d  o  [u\,  u2\  G  (A,  k'0  claims  d'0  o  [u'&,  «'e]) 

2.  E;  \H;  E;  A,  fcg  claims  d'0  o  [rt'b,  u'e]  =>  Q 

3.  E;  \H;  E\  A,  k'0  claims  d'0  o  [ub,  u'e]  &  p  o  [u\ ,  v!.f\ 


(Follows  from  1st  premise) 
(i.h.  on  7th  premise) 


(Rule  (N-claims)  on  1,  2nd-6th  premises,  and  2) 


□ 


Lemma  D.13  (Admissibility  of  (AL)).  The  following  hold. 

A.  E;  'h;  E;  A,  doAdg  o  [ub,  u'e],  do  o  [ub,  v!e  ],d'0  o  [u'b,  v!e ]  g  o  [u\,  u2]  implies  E ;^>;E;  A,  do  A 

do  0  KXl  9  0  [ui,u2] 


C.  E;  iE;  A,  d0  A  dg  o  [u'6,  i^],  d0  o  [u'b,u'e],d'Q  o  <=  g  o  [ui,u2]  implies 

E;^;  E]  A,  d0  Ado  0  KX];S  i=9°  [fR,u2] 

D.  E;  'h;  E;  A,  doAdg  o  [u^,  u'e],  do  o  [ub,  u'e\,  d'0  o  [ub,  u'e]  &  p  o  [u\,u2]  implies  E;  'll;  E;  A,  doA 
d0  0  KX]  [ui,u2] 

Proof.  By  simultaneous  induction  on  depths  of  derivations  given  in  (A)-(D)  and  case  anal¬ 
ysis  of  their  last  rules.  One  interesting  case  is  shown  below. 


d  o  [ui,u2]  G  (A,  d0  A  dg  o  [ub,  u'e],d0  o  [ub,  u'e\,d'0  o  [ub,  u'e}) 
E;  d  o  [ui,u2\  «po  [u\ ,  u2]  \  Q-,  b 
E;  ’L;  E;  A,  do  A  d'0  o  [u'6,  ?/e],  d0  o  [ub,  u'e},d'0  o  [ub,  u'e\  4-  Q 


— N-clause 


To  show:  E;  \h;  A;  A,  do  A  d'0  o  [ub,  u'e]  p  o  [u\ .  v!2]  .  We  analyze  three  subcases  on  the 
1st  premise. 

Subcase,  d  o  [u\,u2]  G  (A,  do  A  dg  o  [ri^rtg]) 


1.  d  o  [«i,  u2]  G  (A,  d0  A  d'0  o  [u'b,  u'e]) 

2.  E;  d  o  [ui,u2]  «  p  o  [u) ,  ?4]  \Q',b 

3.  E;’!';#;  A,d0  A  dg  o  [ub,u'e]  Q 


(Subcase  assumption) 


(i.h.  on  3rd  premise) 


(2nd  premise) 


4.  E;  4c  E;  A,  d0  A  dg  o  [u'b,  w'e]  «>po  [u'1;  u'2) 


(Rule  (N-clause)  on  1-3) 


Subcase,  d  o  [ui,U2]  =  do  o  [ub,u'e].  Then,  d  =  do,  rti  =  rib,  and  u2  =  v!e. 

1.  d0  A  dg  o  [u'fe,  G  (A,  d0  A  dg  o  [u'6,  rt(,]) 
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2.  E;  do  °  [u'b,  u'e]  <Cp  o  \u\ ,  u'2]  \  Q;  b  (2nd  premise  and  subcase  assumption) 

3.  E;  do  Ad'0  o  [u'b,  u'e]  <Cp  o  [u^,  u'2]  \  Q;b  (Rule  (F-Ai)  on  2) 

4.  E;  \H;  E;  A,  do  A  d'0  o  \u'b,  u'e]  ^  Q  (i.h.  on  3rd  premise) 

5.  E;  \H;  E;  A,  do  A  d'0  o  [ub,  u'e\  <=>  p  o  [u^,  u'2\  (Rule  (N-clause)  on  1,3,4) 

Subcase,  do  [m,  u2]  =  d'0  o  [u'b,  u'e].  This  subcase  is  similar  to  the  previous  subcase,  except 
that  we  use  rule  (F-A2)  in  the  third  step.  □ 

Lemma  D.14  (Admissibility  of  (VL)).  Suppose  S  h  t  :  a.  Then  the  following  hold. 

A.  E;  E;  A,  Vaxu.do  o  [ub,  ue] ,  do[t/x]  o  [ Ub,ue ]  =>  g  o  [iti ,  it2]  implies  E;’P;F1;A, 

Vx:a.do  o  [ub,ue]  =>  g  o  [u\,u2] 

B.  E;  lit;  E;  A,  Vx:(7.do  0  [u&,  ue],  do[t/x\  o  [ub,ue]  =4-  Q  implies  E;  E;  A,  Vx:cr.do  0 
[i^,  ue]  =7^  Q 

C.  E;  41;  E\  A,  Vx:(7.do  0  [^6,  ite],  do[t/x]  0  A=  9  0  [ui,u2]  implies  E;  \R;  £1;  A, 

\/x:a.d0  o  [it6,  ite] ;  E  <=  g  o  [ui,u2] 

D.  E;  'h;  E]  A,  \/x:a.do  o  (u^,  we],  do[Z/a>]  0  &  p  °  [iti ,  t/2]  implies  E;’P;F1;A, 

\/x:a.do  o  [it6,  tie]  p  o  [ui,  it2] 

Proof.  By  simultaneous  induction  on  depths  of  derivations  given  in  (A)-(D)  and  case  anal¬ 
ysis  of  their  last  rules,  as  in  the  proof  of  Lemma  D.13.  In  the  case  of  rule  (N-clause),  we 
use  rule  (F-V).  □ 

Lemma  D.15  (Admissibility  of  (@L)).  The  following  hold. 

A.  E;\H;  E\  A,  do  @  [u'biu'e\  0  [ub,ue],do  o  [ub,u'e]  =>  g  o  [ui,u2]  implies  E;  ’P;  E;  A,  do  @ 
[ub,u'e\  o  [ub,ue\  =>  go  [ui,u2] 

B.  E;  \P;  E;  A,  do  @  [ub’ue]  0  [ub,ue],do  o  [ub,u'e]  =4-  Q  implies  E;  \P;  E\  A,  do  @  0 

[ub,  ue]  Q 


C.  E;  \P;  E\  A,  do  @  Wb,  u'e\  0  [ubi  ue],  do  0  [u'b,  u'e]-,  S  <=  g  o  [u\,  u2\  implies  E;  \P;  E\  A,  do 

r— 1  Z' 


/  /  T  (—1  Z'' 

'  *  -H 


K,  «'e]  0  [«&,  «e];S<=J°  [u\,U2\ 

D.  E;  \P;  E;  A,  do  @  [itj,,  o  [ub,ue],do  o  AA  p  o  [u\,u2]  implies  E;\P;  E;  A,  do  @ 

[u'b,  u'e\  o  [ub,  ue\&po  [ui,u2\ 

Proof.  By  simultaneous  induction  on  depths  of  derivations  given  in  (A)-(D)  and  case  anal¬ 
ysis  of  their  last  rules,  as  in  the  proof  of  Lemma  D.13.  In  the  case  of  rule  (N-clause),  we 
use  rule  (F-@).  □ 
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D.3  Properties  of  the  Sequent  Calculus 

Lemma  D.16  (Strong  right  inversion  for  A,D,V,  @).  The  following  hold  in  the  sequent 
calculus  for  BL. 

1.  X;  E;  T  A  si  A  S2  o  [iti ,  it2]  implies  both  X;  E;  T  si  o  [iq,  it2]  and  X;  \h;  E;  T  A 
S2  o  [it  1,1*2]  by  derivations  of  smaller  or  equal  depth. 

2.  X;  iX;  T  —>  si  D  s2  °  [111,1*2]  implies  X,  xptime,  x2:time;  'll,  i*i  <  xi,x2  <  1*2;  E;T, 
si  o  [xi ,  x2]  —>  S2  o  [x\,X2]  by  a  derivation  of  smaller  or  equal  depth. 

3.  X;\I*;.E;r  A  Vx:ct.s  o  [1*1,112]  implies  X,  x:<x;  \I*;  E\  T  ^  s  o  [1*1,112]  by  a  derivation  of 
smaller  or  equal  depth. 

4-  X;  'h;  E\  T  A  s  @  [*4,1*2]  o  [1*1,112]  implies  X;\H;.E;r  —>  s  o  [*4,it2]  by  a  derivation  of 
smaller  or  equal  depth. 

Proof.  Each  statement  follows  by  a  separate  induction  on  the  depth  of  the  given  deriva¬ 
tion  and  a  case  analysis  of  the  last  rule  in  the  derivation.  For  every  statement,  only  one 
right  rule  may  end  the  derivation,  in  which  case  the  result  follows  from  the  premise(s)  of 
the  rule.  For  left  rules,  we  apply  the  induction  hypothesis  to  relevant  premises  and  reapply 
the  rule.  As  an  illustration,  we  show  some  representative  cases  in  the  proof  of  statement  (2). 

X,xi:time,  x2:time;^,i*i  <  xi,x2  <  i*25-E’;r,si  o  [xi,x2]  s2  o  [xi,x2]  „ 

Case.  - - - DR 

X;  T  — >  si  D  s2  o  [i*i,i*2] 

To  show:  X,  xptime,  x2:time; 'h,  iq  <  xi,x2  <  **2;F;T,,si  o  [xi,x2]  —>  S2  o  [xi,x2]  by  a 
derivation  of  smaller  or  equal  depth.  This  follows  immediately,  since  it  is  the  premise  of  the 
rule.  Further,  the  derivation  ending  at  the  premise  has  a  depth  one  less  than  that  of  the 
whole  derivation.  Note  also  that  the  given  derivation  in  statement  (2)  cannot  end  in  any 
other  right  rule. 

X;^;F;T,ri  V  r2  o  [u[ ,  **2] ,  iq  o  [*4,i*2]  ^si3s2o  [111,1*2] 

X;  'P;  E-  T,  n  V  r2  o  [*4 ,  u'2] ,  r2  o  [*4,i*2]  ^  si  3  s2  °  [1*1, 1*2]  T 

Case.  - - — - — v - VL 

X;  \It;  E;  T,  r\  V  r2  o  [*4,**2]  — >  s\  D  s2  o  [1*1,  it2] 

To  show:  X,  xptime,  x2:time;  \I*,  1*1  <  x\,  X2  <  1*2;  E\  T,  n  V  r2  o  [**( ,  u'2\ ■  si  o  [aq,  X2] 

S2  o  [xi,x2]  by  a  derivation  of  smaller  or  equal  depth.  Let  the  depth  of  the  entire  given 
derivation  be  n.  So  each  premise  has  depth  at  most  n  —  1. 

1.  X,  xqtime,  x2:time;  \H,  *q  <  xi,x2  <  1*2;  E\  T,  rq  V  r2  o  [*4 ,  1*2] ,  rq  o  [*4,  u'2],  si  o 

[xi ,  x2]  —>  S2  o  [xi ,  x2]  by  a  derivation  of  depth  at  most  n  —  1  (i.h.  on  1st  premise) 

2.  X,  xqtime,  x2:time;  'h,  **1  <  xi,x2  <  1*2;  E\  T,  rq  V  r2  o  [*4,**2],r-2  0  [i4,  i*2],  s*  0 

[xi,  X2]  — >  S2  o  [xi,  X2]  by  a  derivation  of  depth  at  most  n  —  1  (i.h.  on  2nd  premise) 

3.  X,  xptime,  x2:time;  d*,  *q  <  xi,X2  <  1*2;  E\  T,  ri  V  r2  o  [*4,  u'2},  s*  o  [xi,X2]  —*  s2  o 

[xi,  X2]  by  a  derivation  of  depth  at  most  n  (Rule  (VL)  on  1,2) 
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□ 


Lemma  D.17  (Limited  strong  right  inversion  for  c,  i,  V,  3,  says).  The  following  hold  in 
the  sequent  calculus  for  BL.  ( Observe  that  the  hypotheses  in  the  following  statements  are 
restricted  to  the  form  A.) 


1.  X;  \IX;  E;  A  -A  c  o  [txi,  7x2]  implies  X;  \h  |=  c 

2.  X;  d';  E\  A  —y  i  o  [iti ,  it2]  implies  X;  E  \=  i 

3.  X;  \h;  E;  A  A  spJ  S2  °  [iti ,  1*2]  implies  either  X;  \IX;  E;  A  A  o  [7x1,  7x2]  or  X;  \Ix;  E\  A  —>■ 
S2  o  [141,7x2],  in  each  case  by  a  derivation  of  strictly  smaller  depth. 

4 ■  X;\IX;.E;  A  A  3x:a.s  o  [7x1,742]  implies  that  there  is  a  t  such  that  X  h  t  :  cr  and 

X;  if';  Pi;  A  — >  s[t/x]  o  [741,7x2]  by  a  derivation  of  strictly  smaller  depth. 


5. 


X;  'h;  E\  A  A  k  says  s  o  [txi,  7x2]  implies  X;  ^X;  E;  A|  1  ’^2  >  so  [7x1, 7x2]  by  a  derivation 
of  strictly  smaller  depth. 


Proof.  Each  statement  follows  by  a  separate  induction  on  the  depth  of  the  given  derivation 
and  a  case  analysis  of  the  last  rule  in  the  derivation,  as  in  the  proof  of  Lemma  D.16.  As  an 
illustration,  we  show  some  representative  cases  in  the  proof  of  (5). 

X;^;E;A|  ^™>s0[txi,7x2] 

Case.  - : — - — - : - saysR 


X;  \IX;  E\  A 
To  show:  X;  ;  PT;  A 


k  says  s  o  [7x1 , 742] 

k:Ul,u.2>  s  o  [ui,u2]  by  a  derivation  of  strictly  smaller  depth.  This 


follows  immediately  from  the  premise.  Note  also  that  no  other  right  rules  apply. 


X;  'h;  E\  A,  si  3  s2  o  [tx",  142 ]  -^sio  [74^ ,  7x2] 

X;  ^X;  E\  A,  si  D  s2  o  [tx",  7X2],  s2  0  [txi,T42]  k  says  s  o  [7x1, 7x2] 

X;  'I'  1=  tx"  <  u\  X;  Hx  |=  u'2  <  tx2 

Case.  - - — - — j, - DL 

X;  dx;  E\  A,  si  3  0  [tx",  tx2]  — >  k  says  s  o  [7x1, 7x2] 

To  show:  X;  xh;  E;  (A,  si  3  s2  °  [tx",  tx2])|  A;  says  s  o  [7x1, 7x2]  by  a  derivation  of  strictly 
smaller  depth.  Let  the  depth  of  the  entire  derivation  be  n.  Then  the  depth  of  each  premise 
is  at  most  n  —  1. 


1.  X;  VP ;  E;  (A,  si  D  S2  o  [tx",  tx2],  si  o  [tx] ,  tx2] ) |  —>■  k  says  s  o  [741,7x2]  by  a  derivation  of 

depth  at  most  n  —  2  (i.h.  on  2nd  premise) 

2.  (A,  si  3  s2  o  [tx",7x2],si  o  [tX]_ ,  7X2] ) |  =  A]  =  (A,  si  3s2  o  [tx",7x2])|  (Definition) 

3.  X;  E;  (A,  si  3  s2  °  [tx",  7x2])|  A  A:  says  so  [txi  ,  7x2]  by  a  derivation  of  depth  at  most 

n-  2  (1,2) 

Due  to  the  syntax  of  A,  the  left  rules  (VL),  (saysL),  (consL),  (interL),  (XL),  and  (3L) 
do  not  apply  in  the  proof  of  any  of  the  statements  of  the  theorem.  As  the  reader  may  easily 
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check,  the  induction  step  for  statement  (5)  would  not  have  succeeded  for  the  cases  (saysL), 
(consL),  (interL),  and  (_LL)  had  they  been  relevant.  Similarly,  the  induction  step  for  cases 
(VL)  and  (3L)  would  not  succeed  for  statements  (3)  and  (4)  respectively.  □ 

Lemma  D.18  (Strong  left  inversion  for  c,  i,  A,  V,  T,  3,  says,  Lemma  6.4).  The  following 
hold  for  the  sequent  calculus  of  BL. 

1.  E;  4q  E;  T,  c  o  [iq,  it2]  r  o  [u\ ,  u2\  implies  E;  'h,  c;  E;  T  —>  r  o  [u\ .  u2\  by  a  derivation 
of  smaller  or  equal  depth. 

2.  E;  4q  E;  T,  i  o  [iq,  it2]  —>  r  o  [u^,  u'2\  implies  E;  4t;  E,  i\  T  — >  r  o  [u'l:  u2\  by  a  derivation 
of  smaller  or  equal  depth. 

3.  E;  4t;  E;  T,  si  A  S2  o  [?q,rt2]  —>  r  o  implies  E;  4q  E;  T,  si  o  [?q,tt2],s2  o 

[ui,U2\  —>  r  o  [u^u^]  by  a  derivation  of  smaller  or  equal  depth. 

4 ■  E;  4t;  E;  T,  si  V  S2  o  [iq,  it2]  —>  r  o  [u^,  u2]  implies  both  E;  4q  E;  T,  si  o  [tq,  rt2]  —>  r  o 
1*2]  and  E;  4q  E;  T,  s2  o  [rq,tt2]  — *  r  o  [u^u^]  by  derivations  of  smaller  or  equal 
depth. 

5.  E;4A;E;r,T  o  [rq,it2]  A  r  o  [u^u^]  implies  S;  ;  £1;  T  r  0  by  a  derivation 

of  smaller  or  equal  depth. 

6.  E;  4q  E;  T,  3x:a.s  o  [tq,u2]  —*  r  o  [u\ ,  u2]  implies  E,  x:a;  T;  E;  T,  s  o  [rq,tt2]  A  r  o 
[u\ ,  u2\  by  a  derivation  of  smaller  or  equal  depth. 

7.  S ;4A;E;r,A;  says  s  o  [iti ,  it2]  —*  r  o  [u\ ,  u2]  implies  E ;4A;E;r,  claims  s  o  [iq,u2]  — > 
r  o  [it) ,  u2]  by  a  derivation  of  smaller  or  equal  depth. 

8.  E;4A;E;r,s  @  [uf,u2\  o  [tq,rt2]  ^  r  o  implies  E;4A;E;r,  s  o  r  o 

[u) ,  u2]  by  a  derivation  of  smaller  or  equal  depth. 

Proof.  Each  statement  follows  by  a  separate  induction  on  the  depth  of  the  given  derivation 
and  a  case  analysis  of  the  last  rule  in  the  derivation.  As  an  illustration,  we  show  some 
representative  cases  in  the  proof  of  statement  (7). 

E;  4q  E;  T,  k  says  s  o  [rq,  «2],  k  claims  sofa^a^ro  [u\ ,  u2\ 

Case.  - - - - — - — saysL  (principal  case) 

E;  4';  E;  T,  k  says  s  o  [tq,  it2]  — »  r  o  [iq,  u2] 

To  show:  E;4/;E;T,  fc  claims  s  o  [rq,u2]  r  o  [u) ,  u2]  by  a  derivation  of  smaller  or 
equal  depth.  Let  the  depth  of  the  entire  derivation  be  n.  Then  the  premise  has  a  derivation 
of  depth  n  —  1 . 

1.  E;  4/;  .E;  T, /c  claims  s  o  [tq,tt2],fc  claims  s  o  [rq,u2]  A  r  o  [u\ ,  rt2]  by  a  derivation  of 

depth  less  than  or  equal  to  n  —  1  (i.h.  on  the  premise) 

2.  E;  4/;  E;  T, /c  claims  s  o  [rq,u2]  r  o  [u( ,  it2]  by  a  derivation  of  depth  less  than  or 

equal  to  n  —  1  (Contraction  Theorem  4.8(2)  on  1) 
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Case. 


X;  \fr;  E\  r,  k"  says  s"  o  [u'{,  it2] ,  k"  claims  s"  o  [it",  it2] , 
k  says  s  o  [iq,  1*2]  —>  r  o  [it'i,  it'2] 

X;  \k;  E;  T,  k"  says  s"  o  [u",  it2],  k  says  so  [iq,  i*2]  — >  r  o  [u^,  u2] 


saysL  (other  case) 


To  show:  X;  'h;  E-,  T,  k"  says  s"  o  [it",  i*2],  fc  claims  s  o  [i*i ,  1*2]  —>  r  o  [it'i,u2]  by  a 
derivation  of  shorter  or  equal  depth.  Let  the  depth  of  the  entire  derivation  be  n.  Then  the 
premise  has  a  derivation  of  depth  n  —  1. 


1.  X;  E;  T,  k"  says  s"  o  [it",  it2],  k"  claims  s"  o  [it",  it2],  k  claims  s  o  [111,112]  r  o 

[it', ,  1x2]  by  a  derivation  of  depth  at  most  n  —  1  (i.h.  on  premise) 

2.  X;  .E;  T,  k"  says  s"  o  [it",  it"],  /c  claims  s  o  [1*1,112]  —>  r  o  \u[,  u'2\  by  a  derivation  of 

depth  at  most  n  (Rule  (saysL)  on  1) 


X ;  ;  E-  (T,  k  says  s  o  [iti ,  it2] )  |  s'  o  [it'i ,  u'2] 

Case.  - - — - - - - - — —  saysR 

X;  \k;  E\  T,  A:  says  s  o  [it  1, 1*2]  — ►  k  says  s  o  [it, ,  it2] 


To  show:  X;  ;  £1;  r,  A:  claims  s  o  [1*1,112]  k’  says  s'  o  [u\ ,  u'2]  by  a  derivation  of 
smaller  or  equal  depth.  Let  the  depth  of  the  entire  derivation  be  n.  Then  the  premise  has 
a  derivation  of  depth  n  —  1. 


1.  (T,  A  says  so  [m,it2])|  =  T| 


(Definition) 


^  uJ  uJ 

2.  X;  4*;  E1;  T|  —  11  -2>  s'  o  [it', ,  113]  by  a  derivation  of  depth  n  —  1 


(Premise  and  1) 


fc'  'uJ  hjJ 

3.  X;  \k;  E;  T| ,  k  claims  s  o  [1*1,112]  —  1  ’  -2 >  s'  o  [it'i,it'2]  by  a  derivation  of  depth  at 


most  n  —  1 


(Weakening  Theorem  4.8(ld)  on  2) 


4.  r|,  k  claims  s  o  [iq,  1*2]  =  (T,  k  claims  s  o  [iti,  1*2])) 


(Definition) 


\i!  u! 

5.  X;\Ii;E;(r,  k  claims  s  o  [111,1*2])!  —  1  ’  -2 >  s'  o  [it'i,it'2]  by  a  derivation  of  depth  at 


most  n  —  1 


(3,4) 


6.  X;4/;E;r,A;  claims  s  o  [111,1*2]  —>■  k!  says  s'  o  [it'i,it'2]  by  a  derivation  of  depth  at 
most  n  (Rule  (saysR)  on  5) 


□ 
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D.4  Completeness  of  Goal-directed  Search 

We  define  the  size  of  chunks  h  and  groups  S  as  follows. 


size(d)  = 

size(c)  = 

size(i)  = 

size(/ii  A  /12)  = 

size(/ii  V  /12)  = 

size(T)  = 

size(_L)  = 

size(3x:(T.h )  = 

size(fc  says  d)  = 

siz e(h  @  [«i,  112])  = 

size([]) 

size(H  ::  (h  o  [u1,ri2]))  = 


1 

1 

1 

1  +  size(hi)  +  size(/i2) 
1  +  size(/ii)  +  size(/r2) 
1 
1 

1  +  siz e(h) 

1 

1  +  size(/i) 


0 


size(S) +  siz e(h) 
Theorem  D.19  (Completeness;  Theorem  6.5).  The  following  hold. 


A.  E^Fi;  A 


go  o  [tt0,  u'0]  implies  E;  'F;  E]  A  g0  o  [n0,  u'0\ 

go  o  [n0,  u'0]  implies  E;  E]  A;  E  <=  g0  °  [«o,  u'0\ 


B.  E;  \k;  Pi;  A,  |S| 

Proof.  By  simultaneous  lexicographic  induction,  first  on  the  depths  of  the  given  derivations, 
and  then  on  the  order  (B)  >  (A).  For  (B),  we  also  subinduct  on  size(H).  More  precisely, 
the  following  uses  of  the  i.h.  are  legitimate: 

-  We  are  proving  (A)  and  the  i.h.  is  invoked  for  (A)  or  (B)  with  a  derivation  of  smaller 
depth. 

-  We  are  proving  (B)  and  the  i.h.  is  invoked  for  (A)  or  (B)  with  a  derivation  of  smaller 
depth. 

-  We  are  proving  (B)  and  the  i.h.  is  invoked  for  (A)  with  a  derivation  of  equal  depth. 

-  We  are  proving  (B)  and  the  i.h.  is  invoked  for  (B)  with  a  derivation  of  equal  depth 
and  H  of  smaller  size. 


Proof  of  (A) 


To  prove  (A),  we  case  analyze  the  last  rule  in  the  given  derivation  of  E;  \k;  E\  A  go  ° 
[uo,Uq].  For  right  rules  we  apply  the  i.h.  to  premises  and  then  apply  the  corresponding 
rule  from  R-sequents.  For  left  rules  as  well  as  the  rule  (claims)  we  apply  the  i.h.  to  the 
premises,  and  use  one  of  Lemmas  D.ll,  D.12,  D.13,  D.14,  and  D.15,  depending  on  the 
principal  connective. 
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E;  'P  |=  u\  <u±  E;  ^  |=  u2  <  u2  . 

Case.  - - — - — - mit 

E;$;P;A,po  [iq,it2]  ->  p  o  [iq,it2] 

To  show:  E;$;P;A,po  [it^,  ?4]  P  0  [iq,  iq] 

1.  E;p  o  «po  [iq,u2]  \  (tt'i  <  rq)  ::  (tt2  <  «'2)  -  [];ff 

2.  E;  'h  |=  <  u\ 

3.  E;  4^  |=  u2  <  v!2 

4.  E;^;E;A,po  K,?4]  ^  [] 

5.  E;  4>;  E;  A,p  o  [ui,^]  (it2  <  m2)  "  [] 

6.  E;  4>;  E;  A,p  o  <  rq)  ::  (u2  <  u'2)  ::  [] 

7.  E;  41;  E;  A,p  o  p  o  [ui,u2] 

8.  E;  41;  E;  A,p  o  ['U/1,u/2]  p  o  [rq,  it2] 


(Rule  (F-init)) 
(1st  premise) 
(2nd  premise) 
(Rule  (Q-0)) 
(Rule  (Q-leq)  on  3,4) 
(Rule  (Q-leq)  on  2,5) 
(Rule  (N-clause)  on  1,6) 
(Rule  (R-N)  on  7) 


E;  4t;  E;  A,  k  claims  do  [rq,  u2],  d  o  [rq,  u2\  —>  g  o  [u\ ,  u2] 
v  =  k' ,  Ub,  ue  E;  4^  J=  u\  <  Ub  E;  \R  (=  ue  <  u2  E;  41  f=  k  >z  k'  ^ 

E;  4q  E;  A,  k  claims  d  o  [u\,u2]  —>  g  o  [u\ ,  u2] 

To  show:  E;  'h;  E;  A,  k  claims  do  [iq,  u2]  g  o  [u\ .  u2\ 

1.  E;  41;  E;  A,  k  claims  d  o  [rq,  u2],  d  o  [rq,  u2]  g  o  [u^,  u2]  (i.h.  (A)  on  premise) 

2.  E;  4/;  E;  A,  k  claims  d  o  [u\,u2]  ^  g  o  \u\ ,  u2\ 

(Lemma  D.  12(A)  on  1  and  2nd-5th  premises) 


E;  41;  E;  A|  k,Ul,U2>  g  o  [Ul,u2\ 

Case.  - - - saysR 

E;  4q  E;  A  — >  k  says  go  [rq,  u2] 

To  show:  E;4<;£;A4l:  says  go  [iq,  u2] 


1.  E;4/;E;A|  *'^ua  g  o  [rq ,  u2] 

2.  E;  4';  E;  A  L  says  p  o  [rq,  u2\ 

Case.  - S;^;E;A^goK^] 

E;4qE;  A  — >  g  @  [u]_,u2]  o  [?q,?x2] 

To  show:  E;$;B;A43@  [iq ,  u2]  o  [u\ .  u2] 

1.  E;4qE;  A  g  o  [u\,u2\ 

2.  E;  4e  E;  A  p  @  [rq ,  u2]  o  [it^,  it^] 


(i.h.  (A)  on  premise) 
(Rule  (R-says)  on  1) 
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ige  £;  'L;  E-,A,d@  [u'^u'2]  o  [ui,u2],d  o  [u'i,  ?4]  A  g  o  [u'{,  -u2] 

S;  'L;  E;  A,  d  @  [u[,  u'2]  o  [ui,u2]  ^  g  0  K,  *4'] 

To  show:  X;  E;  A,  d  @  ['«/, ,  u2]  o  [iti,  ii2]  =>  g  o  [rt",  u2] 

1.  X;  T;  E;  A,  d  @  [w/, ,  u2]  o  [tti,  tt2],  d  o  [E),  u2]  4-go  [it",  vig]  (i.h.  (A)  on  premise) 

2.  X;  ’L;  E;  A,  d  @  [u) ,  u2]  o  [u\,  u2]  4>go  \u'(,  u'£\  (Lemma  D. 15(A)  on  1) 


Case. 


X;  T;  E;  A 


c  o  [tti,-u2] 


consR 


To  show:  X;  T;  E;  A  =4*  c  o  [14,  u2] 


1.  X;  E;  A  =A  c  o  [ul5  it2] 


(Rule  (R-cons)  on  premise) 


Case. 


X;E  |=  i 


X;^;TP;r 


l  O 


[til ,  1X2] 


-interR 


To  show:  X;\IAE;r 


%  o 


[ui,u2] 


1.  X;T;E;T 


*  o 


[«i,  W2] 


(Rule  (R-inter)  on  premise) 


X;  ’L;  E;  A  51  o  [ui,  u2]  X;  'L;  E;  A  A  52  o  [Ul,  u2] 

Case.  - - - AR 

Xj'I'jE;  A  — >  51  A  52  o  [tti,tt2] 

To  show:  X;  T;  E;  A  =A  <71  A  g2  o  [tti,  u2] 

1.  X;  T;  E;  A  =4-  o  [rti,  u2]  (i.h.  (A)  on  1st  premise) 

2.  X;  'L;  E;  A  =4-  52  o  [iti ,  ii2]  (i.h.  (A)  on  2nd  premise) 

3.  X;$;l?;A4-giAg2o  [iti,  u2]  (Rule  (R-A)  on  1,2) 

Yl;'fr;E-,A,di/\d2o[ui,u2\,dio[ui,u2],d2o[ui,u2\-^go[u,1,U2\ 

Case.  - - - - — - - AL 

X;  ^;E;  A,  di  A  d2  o  [ui,u2]  ->  g  o  [wi,u2] 

To  show:  X;  'L;  E;  A,  di  A  d2  o  [rti,  tt2]  =A  5  o  ['«( ,  u2] 

1.  X;T;E;  A,di  A  d2  o  [tti,  m2],  di  o  [ui,u2],d2  o  [ui,u2]  Ago 

(i.h.  (A)  on  premise) 

2.  X;  \H;  E;  A,  di  A  d2  o  [ui,  u2]  =A-  g  o  [u^,  u2]  (Lemma  D. 13(A)  on  1) 


X;f;E;AAgio[Ullu2] 

Case.  - - - VRi 

X;  E;  A  ->  V  g2  o  [«i,  tt2] 

To  show:  X;  'L;  E;  A  =4>  (71  V  52  o  [?ij ,  rt2] 
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1.  E;  E;  A  91  o  [m,u2\ 

2.  E;  E;  A  91  V  92  o  [tti,  u2] 

E;^;E;  A -^>92  o  [ui,u2] 

Case.  - - - VR2 

E;  E;  A  -»  g1  V  92  o  [zti,  rt2] 

To  show:  E;  tH;  E;  A  =^*  91  V  92  o  [u\ ,  «2] 

1.  E;  \h;  E;  A  4-  92  o  [iti ,  it2] 

2.  E;  E;  A  91  V  92  o  [mi,  u2] 

Case.  - - - TR 

E;\H;E;  A  — >  T  o  [u\,u2\ 

To  show:  E;  'h;  E;  A  T  o  [«i,  rt2] 

1.  E;$;E;A^T  o[mj,  rt2] 


(i.h.  (A)  on  premise) 
(Rule  (R-Vi)  on  1) 


(i.h.  (A)  on  premise) 
(Rule  (R-V2)  on  1) 


(Rule  (R-T)) 


E,  xptime,  x2:time;  'P,  u\  <  xi,  x2  <  u-2;  E;  A,  h  o  [xi,  x2\  -^>90  [xi,  x2\ 

Case.  - - - DR 

E;  'h;  E;  A  — >  h  D  9  o  [ui,u2] 

To  show:  E;  \h;  E;  A  =^-  h  D  9  o  [ui,u2] 

1.  E,  centime,  x2:time;  'h,  u\  <  x\,x2  <  u2 ;  E;A;/jo  [xi,  x2]  1=  9  o  [xi,  x2] 

(i.h.  (B)  on  premise) 

2.  E;f;E;A^/iD  90  [rti,  u2]  (Rule  (Ro)  on  1) 


E;  'h;  E;  A,  91  D  d2  o  [u\ ,u2\  ^  g\  o  [E, ,  E2] 

E;  'P;  E;  A,  91  D  d2  o  [ui,u2],d2  o  [E1;E2]  ^90  [u'{,  E2] 

E;  'h  |=  u\  <  Ex  E;  \h  |=  E2  <  u2 

ise.  - - - I)L 

E;  V?;  E;  A,  91  D  d2  o  [«i,  tt2]  -»  9  0  [E/,  u2] 

To  show:  E;  VH;  E;  A,  91  D  d2  o  [rti,  u2]  9  0  [it” ,  E2] 

1.  E;\H;E;  A,  91  D  d2  °  [tti,u2]  91  o  [Ej ;  E2]  (i.h.  (A)  on  1st  premise) 

2.  E;^;E;  A,9i  D  d2  0  [ui,u2\,d2  o  [Ej ,  E2]  jo  [E/,  E2]  (i.h.  (A)  on  2nd  premise) 

3.  E;  tH;  E;  A,  91  D  d2  o  [ui,u2]  9  0  K',  E2] 

(Lemma  D. 11(A)  on  1,2  and  3rd, 4th  premises) 


Case. 


E,  x:cr;  E;  A  A  9  o  [«i,  u2\ 
- Tj - VR 

E;  E;  A  — >  Mx:a.g  o  [u\,u2] 


To  show:  E;  \H;  E;  A  =^>  Vx:cr.9  o  [-14,  u2] 
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Case 


1.  E,  x:a;  ik;  E;  A  g  o  [u\:  u2) 

2.  E;  \k;  Pi;  A  Vaxcr.g  o  [ui,  u2] 

E;  \k;  Pi;  A,  \/x:a.d  o  [m,  1*2] ,  d[i/x]  0  [iti ,  1*2]  — >  g  °  [u^,  n2 ] 


(i.h.  (A)  on  premise) 
(Rule  (R-V)  on  1) 

E  h  t  :  a 
- VL 


E;  \k;  E;  A, \/x:a.d  o  [u\,u2]  9  0  [%,  ri2] 

To  show:  E;  \k;  E;  A,  \/x\a.d  o  [u\,u2]  490  [u) :  u2] 

1.  S;  \k;  Pi;  A, \fx:a.d  o  [u1;  u2],  d[t/x]  o  [ui,  u2]  g  o  [u^,  (i.h.  (A)  on  premise) 

2.  S;  \k;  Pi;  A,  \/x\a.d  o  [iti,  u2\  490  ['(/, ,  u2]  (Lemma  D. 14(A)  on  1  and  2nd  premise) 


Case. 


E;  Pi;  A  A  g[t/x\  o  [«i,w2] 


E  h  i  :  <7. 


3R 


E;  \R ;  PE;  A  — ^  3x:a.g  o  [u\,u2] 

To  show:  E;  \k;  Pi;  A  3x:a.g  o  [14,  u2\ 

1.  E;\k;Pi;  A  g[t/x]  o  [«i,u2]  (i.h.  (A)  on  premise) 

2.  E;  \k;  Pi;  A  =4>  3x:a.g  o  [iti,  tt2]  (Rule  (R-3)  on  1  and  2nd  premise) 

Due  to  syntactic  restrictions  on  A,  no  other  rules  apply. 

Proof  of  (B) 

To  prove  (B),  we  subinduct  on  size(S).  If  size(S)  =  0,  then  S  =  [].  In  this  case  we 
proceed  as  follows. 


1.  E;  \k;  Pi;  A  A  g0  o  [u0,  u'0] 

2.  Ej'kjPi;  A  ^  g0  o  [u0,u'0] 

3.  Ej'kjPi;  A;  []  <£=  g0  o  [uo,u'0] 


(Given  derivation) 
(i.h.  (A)  on  1;  valid  because  (B)  >  (A)) 
(Rule  (L-R)  on  2) 


If,  on  the  other  hand,  size(E)  >  0,  then  there  is  at  least  one  chunk  in  E.  We  case  analyze 
the  form  of  the  last  chunk  in  S. 


Case.  E  =  S'  ::  (do  \ui,u2}) 

1.  E;  VP ;  Pi;  A,  |S'|,d  o  [ui,u2\  ^  go  0  [uo,u'0\ 

2.  E;  \k;  Pi;  A,  d  o  [it1,'u2];S/  %=  go  o  [u0,u'0] 

3.  E;  \k;  Pi;  A;  S'  ::  (d  o  [ui,u2])  <=  go  0  [uo,u'o\ 
Case.  S  =  S'  ::  (co  [u\,u2]) 
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1.  E;  'L;  E;  A,  |S'|,  c  o  [ui,u2\  ^  go  °  [u0,u'0] 

2.  E;  c;  E;  A,  |S'|  A  g0  o  [u0, «(,] 

3.  E;  c;  E;  A;  S'  <^=  g0  o  [u0,  u'0] 

4.  E;^;E;  A;  S'  ::  (c  o  [ui,u2])  ^9o°  [uo,u'0] 
Case.  S  =  E;  ::  (i  o  [iti,-u2]) 

1.  E;^;E;  A,  |S'|,i  o  [ui,u2\  ^9o°  [uo,u'0] 

2.  E;^;E,i;  A,  |S'|  A  g0  o  [uq.u'q] 

3.  E;^;E,i;  A;  S'  -£=  go  o  [u0,u'o] 

4.  E;^;E;  A;  S'  ::  (i  o  [ui,u2])  go  o  [«o,^o] 


(Given  derivation) 
(Lemma  D.18(l)  on  1) 
(i.h.  (B)  on  2;  size(S')  <  size(S)) 
(Rule  (L-cons)  on  3) 

(Given  derivation) 
(Lemma  D.18(2)  on  1) 
(i.h.  (B)  on  2;  size(S')  <  size(S)) 
(Rule  (L-inter)  on  3) 


Case.  S  =  S'  ::  (hi  A  h2  o  [ui,u2]).  Define  S"  =  E'  ::  (hi  o  [ui,u2])  ■■  (h2  o  [ui,u2]).  Note 
that  size(S")  =  size(S)  —  1. 

1.  E;  \H;  E;  A,  |S'|,  h\  A  h2  o  [ui,  u2]  ^  go  o  [u0,  it'0]  (Given  derivation) 

2.  E;  'L;  E;  A,  |S'|,  hi  o  [iti,  tt2],  h2  o  [ui,  u2]  A  go  °  [uo,  u'0]  (Lemma  D.18(3)  on  1) 

3.  E;  E;  A;  S'  ::  (/ii  o  [ui,u2])  ::  (h2  o  [ui,rt2])  <£=  g0  o  [u0,ri'o] 

(i.h.  (B)  on  2;  size(S")  <  size(S)) 

4.  E;  \R;  E;  A;  S'  ::  (/ii  A  h2  o  [iti,  it2])  go  o  [tt0,  tt'0]  (Rule  (L-A)  on  3) 

Case.  S  =  S'  ::  (/ii  V  h2  o  [ui,u2]).  Define  Si  =  S'  ::  (hi  o  [ui,u2])  and  S2  =  S'  ::  (h2  o 
[ui,u2]).  Note  that  size(Si)  <  size(S)  and  size(S2)  <  size(S). 


1.  E;  E;  A,  |S'|,  hi  V  h2  o  [ui,u2]  A  go  o  [u0,u'0\ 


(Given  derivation) 


2.  E;  \R;  E;  A,  |S'| ,hi  o  [ui,u2]  go  o  [u0,Uq]  and  E;  E;  A,  |S'|,/i2  o  [ui,u2]  A  g0  o 

[ito,«o]  (Lemma  D.18(4)  on  1) 

3.  E;  E;  A;  S'  ::  (hi  o  [«i,ri2])  <t=  g0  o  [«0,«o]  and  E;^;E;A;S'  ::  (h2  o  [«i,«2]) 

go  o  [uo,u'0]  (i.h.  (B)  on  2;  size(Si)  <  size(S)  and  size(S2)  <  size(S)) 

4.  E;  E;  A;  S'  ::  (hi  V  h2  o  [tti,  it2])  go  °  [uo,  'a'0]  (Rule  (L-V)  on  derivations  in  3) 
Case.  S  =  S'  ::  (T  o  [ui,u2\).  Note  that  size(S')  <  size(S). 

1.  E;  ’L;  E;  A,  |S'|,  T  o  [ui,u2]  —>  go  o  [rto,u'0]  (Given  derivation) 

2.  E;  ’L;  E;  A,  |S'|  A  go  o  [it0,  u'0]  (Lemma  D.18(5)  on  1) 
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3.  X;  4e  E]  A;  E'  <=  go  o  [rig,  rig]  (i.h.  (B)  on  2;  size  (S')  <  size(S)) 

4.  S;  £7;  A;  H'  ::  (T  o  [m ,u2\)  <=  go  °  [uo,u g]  (Rule  (L-T)  on  3) 

Case.  S  =  H'  ::  (1  o  [rri,u2]) 

1.  E;  f ;  E;  A;  S'  ::  (1  o  [Ml,  !i2])  g0  °  h,  «'0]  (Rule  (L-_L)) 

Case.  S  =  S'  ::  ( 3x:a.h  o  [rii,ri2]).  Define  S"  =  S',P  o  [u\ ,  ii2]  and  note  that  size(S")  < 
size(S). 

1.  X;  41;  Pi;  A,  |S'|,  zte:er./r  o  [rii,  rt2]  —>  go  °  [r/Oj  rig]  (Given  derivation) 

2.  X,  x:cr;  4>;  Pi;  A,  |S'|, /i  o  [m,  u2]  X>  g0  0  [rig,  rtg]  (Lemma  D. 18(6)  on  1) 

3.  X,  x:a\  4e  E;  A;  S'  ::  [h  o  [rti,  rr2])  <^=  go  °  [rig,  rig]  (i.h.  (B)  on  2;  size(S")  <  size(S)) 

4.  X;  4';  E;  A;  S'  ::  (zte:cr./i  o  [m,  n2])  <=  go  °  [rto,  ri'0]  (Rule  (L-3)  on  3) 

Case.  S  =  S'  ::  (k  says  d  o  [rri,  rr2]). 

1.  X;  4';  E\  A,  S',  k  says  d  o  [rii,  rt2]  —>  go  °  [rig,  rr'0]  (Given  derivation) 

2.  X;  41;  Pi;  A,  S',  k  claims  d  o  [rti,  rt2]  A  <?g  o  [rxg,  r/0]  (Lemma  D. 18(7)  on  1) 

3.  X;  4';  Pi;  A,  fc  claims  d  o  [rii,  rr2];  S' <^=  gg  o  [rig,  rig]  (i.h.  (B)  on  2;  size(S')  <  size(S)) 

4.  X;  4/;  Pi;  A;  S'  ::  (P  says  d  o  [rti ,  rt2] )  •¥=  go  °  [rig,  rig]  (Rule  (L-says)  on  3) 

Case.  S  =  S'  ::  (h  @  [u\ ,  u'2]  o  [rii,ri2]).  Define  S"  =  S'  ::  ( h  o  [u\ ,  u’2])  and  note  that 
size(S")  <  size(S). 

1.  X;  4/;  Pi;  A,  S',  h  @  [ri'1;  u'2\  o  [rti,  n2]  ^jo°  [rig,  u'o\  (Given  derivation) 

2.  X;  4e  Pi;  A,  S',  h  o  [u\ ,  ri2]  go  °  [rxo,ri'0]  (Lemma  D.18(8)  on  1) 

3.  X;  41;  Pi;  A;  S'  ::  [ho  [ri^r^])  <=  go  °  [rro,rr'0]  (i.h.  (B)  on  2;  size(S")  <  size(S)) 

4.  X;  4';  Pi;  A;  S'  ::  [h  @  [ri'l5  ri'2]  o  [u\,  n2])  <=  go  °  [rig,  rig]  (Rule  (L-@)  on  3) 

□ 
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